Improper Privilege Management

Property
Languageyaml
Severitylow
CWECWE-269: Improper Privilege Management
OWASPA04:2021 - Insecure Design
Confidence LevelLow
Impact LevelMedium
Likelihood LevelLow

Description

The pod configuration enables ‘hostPID’, which allows containers to share the host’s process ID namespace. This can let processes inside the container see and interact with processes running on the host, increasing the risk of privilege escalation.

Impact

If exploited, attackers could gain visibility into or control over host processes from within a compromised container, potentially escaping the container boundary and gaining elevated privileges on the host machine. This can lead to unauthorized access, process manipulation, or full host compromise.

Improper Privilege Management

Property
Languageyaml
Severityhigh
CWECWE-269: Improper Privilege Management
OWASPA05:2021 - Security Misconfiguration
Confidence LevelHigh
Impact LevelHigh
Likelihood LevelMedium

Description

The ClusterRole grants wildcard (’*’) permissions to all resources and actions within the Kubernetes core API, effectively allowing unrestricted access. This broad permission set means anyone with this role can perform any action on any resource in the cluster.

Impact

If exploited, an attacker with this role could read, modify, or delete any Kubernetes resource, potentially disrupting workloads, exposing sensitive data, or taking full control of the cluster. This level of access undermines security boundaries and increases the risk of accidental or malicious misuse.

Improper Privilege Management

Property
Languagehcl
Severitylow
CWECWE-269: Improper Privilege Management
OWASPA04:2021 - Insecure Design
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The IAM policy grants sensitive actions—such as creating access keys or login profiles—on other users or wildcard resources. This broad permission can let unauthorized users escalate their privileges in the AWS account.

Impact

If exploited, an attacker could create credentials or change passwords for other users, gaining administrative access and potentially taking full control of your AWS environment. This could lead to data breaches, resource misuse, or service disruptions.

Improper Privilege Management

Property
Languagehcl
Severitylow
CWECWE-269: Improper Privilege Management
OWASPA04:2021 - Insecure Design
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The IAM policy allows all actions (’*’) on specified resources, granting full permissions instead of restricting access to only what is necessary. This violates the principle of least privilege and can expose resources to misuse.

Impact

If exploited, anyone with the policy could perform any action on the assigned resources, including deleting, modifying, or exfiltrating sensitive data. This broad access increases the risk of security breaches, accidental changes, and potential data loss across your AWS environment.

Improper Privilege Management

Property
Languagehcl
Severitylow
CWECWE-269: Improper Privilege Management
OWASPA04:2021 - Insecure Design
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

This code assigns AWS IAM policies that allow both ‘iam:PassRole’ and other sensitive actions (like ‘sts:AssumeRole’ or ’lambda:CreateFunction’) to the same user or role without any explicit deny. This combination can enable users to escalate their own privileges.

Impact

If exploited, an attacker could gain full administrative access to your AWS account by using these permissions to assume higher-privilege roles or create resources with elevated rights. This could lead to unauthorized actions, data breaches, or total compromise of cloud infrastructure.

Improper Privilege Management

Property
Languagehcl
Severitylow
CWECWE-269: Improper Privilege Management
OWASPA04:2021 - Insecure Design
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The IAM policy grants full administrative access (‘Action’ and ‘Resource’ set to ‘*’), allowing any action on any AWS resource. This violates the principle of least privilege and exposes the account to excessive risk.

Impact

If exploited, an attacker or compromised user could take complete control of all AWS resources, including deleting data, modifying configurations, or escalating privileges, potentially resulting in total compromise of the cloud environment.

Improper Privilege Management

Property
Languagedockerfile
Severitymedium
CWECWE-269: Improper Privilege Management
OWASPA04:2021 - Insecure Design
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelLow

Description

The Dockerfile does not specify a non-root user before setting the ENTRYPOINT, causing the application to run as the root user inside the container. Running as root increases the risk of privilege escalation if the application is compromised.

Impact

If an attacker exploits a vulnerability in the application, they could gain root access within the container, allowing them to install malware, modify files, or attempt to break out of the container and impact the host system or other services. This significantly increases the potential damage from any security breach.

Improper Privilege Management

Property
Languagedockerfile
Severitymedium
CWECWE-269: Improper Privilege Management
OWASPA04:2021 - Insecure Design
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelLow

Description

If you don’t specify a non-root USER in your Dockerfile, applications inside the container will run as root by default. This gives processes inside the container unnecessary administrative privileges.

Impact

If an attacker exploits a vulnerability in your application, running as root allows them to take full control of the container, potentially leading to data theft, container escape, or damage to the host system. Running as a non-root user limits what an attacker can do if the container is compromised.

Improper Privilege Management

Property
Languagedockerfile
Severitymedium
CWECWE-269: Improper Privilege Management
OWASPA04:2021 - Insecure Design
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

The Dockerfile sets the final user as ‘root’, meaning the container runs with full administrative privileges. This increases risk if attackers gain access, as they would control the whole system.

Impact

If exploited, an attacker could use root privileges to modify system files, install malware, or move laterally to other systems. This can lead to data breaches, service disruption, and compromise of the host environment.

Improper Privilege Management

Property
Languagejava
Severitylow
CWECWE-269: Improper Privilege Management
OWASPA04:2021 - Insecure Design
Confidence LevelLow
Impact LevelMedium
Likelihood LevelLow

Description

Using Java’s doPrivileged blocks can grant elevated permissions to code, potentially allowing untrusted or less-privileged code to perform sensitive actions. If not carefully scoped, this can unintentionally expose critical resources or operations.

Impact

Attackers may exploit overly broad or misused privileged code sections to bypass security checks and access files, system resources, or perform actions outside their intended permissions. This can lead to data breaches, unauthorized actions, or compromise of the application’s security boundaries.