Storage containers in blob storage mode should not have public access

Property
Languageterraform
Severityhigh
Servicestorage
ProviderAzure
Vulnerability Typemisconfiguration

Description

The configuration allows public access to Azure Blob Storage containers, meaning anyone on the internet can read data stored within them. This exposes potentially sensitive or private files without authentication controls.

Impact

If exploited, attackers can freely access and download data from the storage container, leading to data leaks, exposure of confidential information, compliance violations, and potential reputational or financial damage to the organization.

Storage of Sensitive Data in a Mechanism without Access Control

Property
Languagerust
Severitylow
CWECWE-921: Storage of Sensitive Data in a Mechanism without Access Control
Confidence LevelMedium
Impact LevelLow
Likelihood LevelLow

Description

Authorization headers are being added to HTTP requests without setting the ‘sensitive’ flag using ‘set_sensitive(true)’. This means sensitive credentials like API keys or tokens may not be properly protected during logging or error handling.

Impact

If sensitive headers are not marked as such, their values could be accidentally exposed in logs, debugging output, or error messages. This can lead to credential leakage, allowing attackers to gain unauthorized access to protected resources or user accounts.

Synapse Workspace should have managed virtual network enabled, the default is disabled.

Property
Languageterraform
Severitymedium
Servicesynapse
ProviderAzure
Vulnerability Typeomission

Description

The Synapse Workspace is configured without managed virtual network enabled, which means it does not use an isolated network environment for secure communications with other Azure resources. This leaves the workspace exposed to public endpoints instead of using private links.

Impact

Without a managed virtual network and private endpoints, sensitive data in the Synapse Workspace could be accessed over the public internet, increasing the risk of unauthorized access, data leakage, and exposure to network-based attacks.

SYS_ADMIN capability added

Property
Languageterraform
Severityhigh
Vulnerability Typemisconfiguration

Description

Granting the SYS_ADMIN capability to containers gives processes inside the container root-level privileges, significantly expanding their control over the host system. This configuration bypasses key container isolation mechanisms and introduces serious security risks.

Impact

If exploited, an attacker with access to the container could perform privileged operations such as mounting file systems, altering kernel parameters, or escaping the container to compromise the underlying host. This can lead to full system compromise, data breaches, and unauthorized control over other workloads in the cluster.

SYS_MODULE capability added

Property
Languageterraform
Severityhigh
Vulnerability Typemisconfiguration

Description

Granting the SYS_MODULE capability to containers allows them to load or unload kernel modules, which bypasses key security boundaries. This exposes the container host to elevated risks, as it grants extensive control over the underlying system.

Impact

If exploited, an attacker with access to such a container could install malicious kernel modules or alter system-level behavior, potentially leading to privilege escalation, host compromise, and full control over the infrastructure.

system:authenticate group access binding

Property
Languageterraform
Severitycritical

Description

Binding the ‘system:authenticated’ group to any Kubernetes role or clusterrole grants all authenticated users the permissions of that role, which exposes sensitive actions to a broad audience. This misconfiguration undermines role-based access control by allowing excessive privilege escalation.

Impact

If exploited, any authenticated user could gain elevated permissions within the cluster, potentially leading to unauthorized access, modification, or deletion of resources, data breaches, and full cluster compromise.

system:authenticate group access binding

Property
Languageterraform
Severitycritical

Description

Binding to system:authenticate group to any clusterrole or role is a security risk.

Resolution

Remove system:authenticated group binding from clusterrolebinding or rolebinding.

Task definition defines sensitive environment variable(s).

Property
Languageterraform
Severitycritical
Serviceecs
ProviderAWS
Vulnerability Typeomission

Description

Sensitive information such as passwords, API keys, or secrets is stored as plaintext environment variables in ECS task definitions. This exposes confidential data directly in the task configuration, which can be viewed by anyone with access to the AWS Management Console or infrastructure code.

Impact

If exploited, attackers or unauthorized users could retrieve credentials or secrets from the environment variables, leading to potential unauthorized access to databases, APIs, or other critical systems. This can result in data breaches, service disruption, and compromise of cloud resources.

Temporary file logging should be enabled for all temporary files.

Property
Languageterraform
Severitymedium
Servicesql
ProviderGoogle
Vulnerability Typeomission

Description

The configuration does not enable logging for temporary files in Google Cloud SQL for PostgreSQL, or only logs files above a certain size. As a result, temporary file activity is not fully captured in logs, reducing visibility into database operations.

Impact

Lack of comprehensive temporary file logging can hinder detection of suspicious or malicious activity, such as large or unexpected queries, making it harder to investigate security incidents or performance issues. This could allow attackers to exploit the database without leaving adequate audit trails.

The db instance has common private network

Property
Languageterraform
Severitylow
Servicerdb
ProviderNifcloud

Description

The database instance is configured to use a common private network that is shared with other users, rather than an isolated private LAN. This setup does not adequately separate sensitive traffic from other tenants on the same infrastructure.

Impact

Using a shared network exposes the database instance to potential unauthorized access or eavesdropping by other users on the same network segment, increasing the risk of data leakage or compromise of sensitive information.