Property
Language
Severity
CWE	CWE-778: Insufficient Logging
OWASP	A09:2021 - Security Logging and Monitoring Failures
Confidence Level	Medium
Impact Level	Low
Likelihood Level	Low

Description

Your AWS DocumentDB cluster does not have auditing enabled, meaning activity logs are not being exported to CloudWatch. Without this, you lack visibility into who is accessing or modifying your database.

Impact

If auditing is not enabled, suspicious or unauthorized actions could go undetected, making it difficult to investigate security incidents, meet compliance requirements, or respond to potential breaches. This lack of monitoring can leave your data and organization at risk.

Property
Language	csharp
Severity
CWE	CWE-613: Insufficient Session Expiration
OWASP	A02:2017 - Broken Authentication
Confidence Level	High
Impact Level	Medium
Likelihood Level	High

Description

The code disables JWT token expiration or lifetime validation by setting RequireExpirationTime or ValidateLifetime to false in TokenValidationParameters. This allows tokens to be accepted even after they have expired, which is insecure.

Impact

If token expiration is not enforced, attackers can reuse stolen or old JWT tokens indefinitely to access protected resources. This undermines authentication, increases the risk of unauthorized access, and can lead to compromised user accounts or sensitive data exposure.

Property
Language
Severity
CWE	CWE-345: Insufficient Verification of Data Authenticity
OWASP	A08:2021 - Software and Data Integrity Failures
Confidence Level	Medium
Impact Level	High
Likelihood Level	Low

Description

The ECR repository allows image tags to be changed after creation, meaning existing images can be silently replaced. Without setting ‘image_tag_mutability’ to ‘IMMUTABLE’, image tags are not protected from being overwritten.

Impact

If an attacker or unauthorized user can overwrite image tags, they could inject malicious code or replace trusted images with compromised versions. This could lead to code execution, supply chain attacks, or deployment of untrusted containers, putting applications and infrastructure at serious risk.

Property
Language
Severity
CWE	CWE-345: Insufficient Verification of Data Authenticity
OWASP	A08:2021 - Software and Data Integrity Failures
Confidence Level	Medium
Impact Level	Low
Likelihood Level	Low

Description

The code is decoding JWT tokens using ParseUnverified, which extracts token data without verifying its signature. This means anyone can tamper with the token contents and the code will still trust them as valid.

Impact

If exploited, attackers could forge or modify JWT tokens to gain unauthorized access, escalate privileges, or manipulate user data. This undermines authentication and authorization, leading to serious security breaches such as account takeover or data exposure.

Property
Language	java
Severity
CWE	CWE-345: Insufficient Verification of Data Authenticity
OWASP	A08:2021 - Software and Data Integrity Failures
Confidence Level	Medium
Impact Level	High
Likelihood Level	Low

Description

The code decodes a JWT token without verifying its signature, which means it accepts any token as valid regardless of who created it. Without verification, the token’s contents and claims cannot be trusted.

Impact

An attacker could forge JWT tokens with arbitrary claims (such as user roles or permissions) and gain unauthorized access or escalate privileges in your application. This can lead to data breaches, account takeover, or other serious security incidents.

Property
Language
Severity
CWE	CWE-345: Insufficient Verification of Data Authenticity
OWASP	A08:2021 - Software and Data Integrity Failures
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

The code decodes a JWT token without verifying its signature, which means it trusts the token’s contents without checking if they were tampered with. Always verify a JWT before using its data to ensure it hasn’t been forged or altered.

Property
Language
Severity
CWE	CWE-345: Insufficient Verification of Data Authenticity
OWASP	A08:2021 - Software and Data Integrity Failures
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

The code listens for ‘message’ events (e.g., from postMessage) but does not check the origin of the messages received. This allows messages from any website or iframe to be processed, regardless of their trustworthiness.

Impact

An attacker could send malicious messages from another origin, potentially causing your application to execute harmful actions or leak sensitive data. This can lead to security issues like cross-site scripting (XSS), data theft, or unauthorized actions within your app.

Property
Language
Severity
CWE	CWE-345: Insufficient Verification of Data Authenticity
OWASP	A08:2021 - Software and Data Integrity Failures
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	High

Description

Using window.postMessage() with a target origin of ‘*’ allows any website to receive sensitive messages from your application. This means data could be exposed to untrusted or malicious origins.

Impact

An attacker hosting a malicious site could intercept messages meant for trusted domains, potentially gaining access to sensitive information or credentials. This can lead to data leaks, unauthorized actions, and compromise of user security within your application.

Property
Language
Severity
CWE	CWE-345: Insufficient Verification of Data Authenticity
OWASP	A08:2021 - Software and Data Integrity Failures
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

The code decodes JWT tokens without verifying their signature, which means it accepts tokens without checking if they are genuine. This allows untrusted or tampered tokens to be used in your application.

Impact

If exploited, attackers could forge JWT tokens with any claims they want (such as elevated privileges or fake user identities), leading to unauthorized access, privilege escalation, or data breaches. This can compromise user accounts and the overall security of the application.

Property
Language
Severity
CWE	CWE-522: Insufficiently Protected Credentials
OWASP	A02:2017 - Broken Authentication
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	Medium

Description

Database passwords are hardcoded directly in Terraform source files for AWS RDS resources. This exposes sensitive credentials in version control and to anyone with access to the codebase.

Impact

If attackers or unauthorized users access the source code, they can obtain database credentials, potentially leading to unauthorized data access, data breaches, or service disruption. This compromises the security of your database and may violate compliance requirements.