Interpretation Conflict

Property
Languagego
Severitylow
CWECWE-436: Interpretation Conflict
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Directly modifying fields of a shared ‘url.URL’ struct in Go can unintentionally alter the URL for other parts of the code that use the same reference. This can lead to unexpected or incorrect URL values being used elsewhere in your application.

Impact

If a shared URL struct is accidentally mutated, it may result in requests being sent to the wrong endpoints, leaking sensitive data, or causing logic errors. In security-sensitive applications, this could enable attackers to redirect traffic, bypass access controls, or manipulate application behavior.

Key Exchange without Entity Authentication

Property
Languagego
Severitylow
CWECWE-322: Key Exchange without Entity Authentication
OWASPA02:2021 - Cryptographic Failures
Confidence LevelMedium
Impact LevelLow
Likelihood LevelLow

Description

The code disables SSH host key verification by using ‘ssh.InsecureIgnoreHostKey()’, meaning it does not check if the server’s identity is genuine. This makes SSH connections vulnerable to connecting to malicious or unexpected servers.

Impact

If exploited, attackers could perform man-in-the-middle attacks, intercepting or altering sensitive data sent over SSH connections. This compromises the confidentiality and integrity of communications, potentially leading to unauthorized access, data leaks, or further attacks on internal systems.

Key Exchange without Entity Authentication

Property
Languagepython
Severitylow
CWECWE-322: Key Exchange without Entity Authentication
OWASPA02:2021 - Cryptographic Failures
Confidence LevelLow
Impact LevelMedium
Likelihood LevelLow

Description

The code configures a Paramiko SSH client to automatically trust any server’s host key without verifying its authenticity. This means your application will connect to any SSH server, including potentially malicious ones, without checking if it’s the intended host.

Impact

If exploited, an attacker could perform a man-in-the-middle attack by impersonating a trusted server, intercepting sensitive data or credentials transmitted over SSH. This undermines the security of SSH connections and could lead to unauthorized access or data breaches.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Azure Batch account resource is not configured to use Azure Key Vault for data encryption. This means sensitive data stored or processed by the Batch account may not be properly protected.

Impact

Without Key Vault-based encryption, sensitive information managed by the Batch account could be exposed if the resource is compromised. Attackers may gain access to unencrypted data, increasing the risk of data breaches and non-compliance with security standards.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Azure managed disk resource is configured without encryption enabled, which means data stored on the disk is not protected at rest. This leaves sensitive information vulnerable to unauthorized access.

Impact

Without disk encryption, attackers or malicious insiders who gain access to the underlying storage could read confidential data. This increases the risk of data breaches and may lead to regulatory compliance issues or loss of sensitive business information.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Service Fabric cluster configuration does not enforce the highest protection level (‘EncryptAndSign’) for communications. This means data exchanged between cluster nodes may not be fully encrypted and authenticated.

Impact

Without full encryption and signing, sensitive data within the cluster could be intercepted or tampered with by attackers, potentially leading to data breaches, unauthorized access, or manipulation of cluster operations.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Azure Data Explorer (Kusto) cluster is not configured to use disk encryption. This means data stored on disk is not protected at rest, increasing the risk of unauthorized access.

Impact

Without disk encryption, sensitive information on the cluster’s disks could be exposed if an attacker gains access to the underlying storage, potentially leading to data breaches or compliance violations.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The managed disk resource in your Terraform configuration does not specify a disk encryption set, meaning it may not use customer-managed keys for encryption. This can result in disks being protected only by platform-managed keys, reducing control over encryption and key management.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The virtual machine scale set is not configured with host-level encryption, which means that data stored on the VM host is not automatically encrypted at rest. This leaves sensitive information vulnerable if the underlying hardware is accessed without proper authorization.

Impact

Without enabling encryption at host, attackers or unauthorized personnel with physical or administrative access to Azure infrastructure could potentially access unencrypted data stored on VM disks. This increases the risk of data breaches and exposure of confidential information, potentially violating compliance requirements.

Key Management Errors

Property
Languagehcl
Severitylow
CWECWE-320: CWE CATEGORY: Key Management Errors
OWASPA03:2017 - Sensitive Data Exposure
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Cosmos DB account is not configured to use customer-managed keys for encrypting data at rest. This means Azure manages the encryption keys instead of your organization, reducing your control over data security.

Impact

If customer-managed keys are not used, your organization cannot control key rotation or revoke access independently, increasing the risk of unauthorized data access if Azure’s default keys are compromised. This can lead to potential data breaches and loss of compliance with security standards.