Misinterpretation of Input

Property
Languagego
Severitylow
CWECWE-115: Misinterpretation of Input
Confidence LevelMedium
Impact LevelLow
Likelihood LevelLow

Description

When using ReverseProxy with a custom Director function in Go, headers added by the Director can be unintentionally removed before the request is sent. Using ReverseProxy.Rewrite instead ensures headers are preserved as intended.

Impact

If headers set by the Director are dropped, important context or security controls (such as authentication or tracing headers) may be lost, potentially leading to failed requests or allowing attackers to bypass security checks relying on those headers.

Missing Authentication for Critical Function

Property
Languagetypescript
Severitymedium
CWECWE-306: Missing Authentication for Critical Function
OWASPA07:2021 - Identification and Authentication Failures
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

The CodeBuild project is configured to have a public URL, making its build results, logs, and artifacts accessible to anyone without authentication. This exposes sensitive project information to the public, including past builds.

Impact

If exploited, unauthorized users can view or download build logs and artifacts, potentially exposing source code, credentials, or other confidential data. This can lead to data leaks, intellectual property theft, or further attacks against your application or infrastructure.

Missing Authentication for Critical Function

Property
Languagetypescript
Severityhigh
CWECWE-306: Missing Authentication for Critical Function
OWASPA07:2021 - Identification and Authentication Failures
Confidence LevelMedium
Impact LevelHigh
Likelihood LevelHigh

Description

Granting public access to an S3 bucket using the grantPublicAccess method makes all objects in the bucket accessible to anyone on the internet. This bypasses authentication controls and exposes data to unauthorized users.

Impact

If exploited, attackers or anyone online could view, download, or misuse sensitive files stored in the bucket. This could lead to data leaks, regulatory violations, loss of intellectual property, or reputational damage to your organization.

Missing Authorization

Property
Languagedockerfile
Severityhigh
CWECWE-862: Missing Authorization
Confidence LevelHigh
Impact LevelHigh
Likelihood LevelMedium

Description

Mounting the Docker socket (docker.sock) inside a container gives processes in the container full control over the Docker host. This exposes the host to risks if the container is compromised.

Impact

If an attacker gains access to the container, they can use the Docker socket to escape the container and execute arbitrary commands on the host system, potentially leading to full system compromise, data breaches, or lateral movement across your infrastructure.

Missing Authorization

Property
Languagecsharp
Severitymedium
CWECWE-862: Missing Authorization
OWASPA01:2021 - Broken Access Control
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelLow

Description

This code exposes controller classes without any authorization checks, allowing anyone to access their endpoints regardless of authentication or user role. Access control should be enforced unless anonymous access is explicitly intended.

Impact

Without proper authorization, attackers or unauthorized users could access sensitive functionality or data, perform actions reserved for authenticated users, and potentially compromise the security of the application. This can lead to data breaches, privilege escalation, and loss of control over protected resources.

Missing description for db security group.

Property
Languageterraform
Severitylow
Servicerdb
ProviderNifcloud

Description

DB security groups are defined without a description field, making it unclear what each rule is intended for. This omission hinders effective management, auditing, and understanding of firewall configurations.

Impact

Lack of descriptive context can lead to confusion during security audits, troubleshooting, or team handovers, increasing the risk of misconfiguration, accidental exposure, or unintentional changes to critical security rules.

Missing description for nas security group.

Property
Languageterraform
Severitylow
Servicenas
ProviderNifcloud

Description

NAS security groups are defined without a description, making it unclear what each group is intended to protect or allow. This lack of context complicates understanding and managing firewall rules.

Impact

Missing descriptions hinder effective auditing and troubleshooting, increasing the risk of misconfigurations or unused rules being overlooked. This can lead to unauthorized access or operational disruptions due to unclear security group purposes.

Missing description for security group rule.

Property
Languageterraform
Severitylow
Serviceec2
ProviderAWS

Description

Security group rules are missing descriptions, making it unclear why specific network access is allowed or denied. This lack of context complicates auditing, troubleshooting, and managing security group configurations.

Impact

Without descriptive information, it becomes difficult to identify the purpose of each rule, increasing the risk of accidental misconfiguration or unauthorized access. This can hinder incident response and lead to security gaps going undetected.

Missing description for security group rule.

Property
Languageterraform
Severitylow
Servicecomputing
ProviderNifcloud

Description

Security group rules are defined without a description, making it unclear why the rule exists or what its purpose is. This lack of context complicates auditing, troubleshooting, and future management of firewall rules.

Impact

Missing descriptions can lead to misconfigured or unnecessary rules remaining in place, increasing the risk of unauthorized access or accidental exposure. It also makes it harder for teams to quickly identify, review, or update rules, potentially delaying incident response and weakening security posture.

Missing description for security group.

Property
Languageterraform
Severitylow
Serviceec2
ProviderAWS

Description

Security groups are defined without a description field, making it difficult to understand their intended purpose or usage. This lack of context complicates auditing, management, and troubleshooting of firewall rules.

Impact

Missing descriptions can lead to misconfiguration, accidental exposure, or difficulty identifying unnecessary or overly permissive rules. This increases the risk of unauthorized access and slows down incident response or compliance efforts.