Clusters should be set to private

Property
Languageterraform
Severitymedium
Servicegke
ProviderGoogle
Vulnerability Typeomission

Description

The cluster is configured without private nodes, causing nodes to receive public IP addresses and be accessible from outside the internal network. This increases exposure to unauthorized external access.

Impact

If exploited, attackers could reach cluster nodes directly over the public internet, potentially enabling unauthorized access, compromise of workloads, or lateral movement within the environment, leading to data breaches or service disruptions.

Clusters should have IP aliasing enabled

Property
Languageterraform
Severitylow
Servicegke
ProviderGoogle

Description

The GKE cluster is configured without IP aliasing, requiring nodes to use a NAT gateway for internal communication. This setup does not leverage GCP’s internal IP allocation features, leading to less efficient network configuration.

Impact

Without IP aliasing, nodes rely on NAT gateways to access internal and external resources, increasing network complexity, cost, and potential exposure. This can also hinder scalability and make network management more difficult, potentially increasing the attack surface.

CodeBuild Project artifacts encryption should not be disabled

Property
Languageterraform
Severityhigh
Servicecodebuild
ProviderAWS
Vulnerability Typemisconfiguration

Description

The CodeBuild project is configured with artifact encryption disabled, causing build outputs to be stored in an unencrypted state. This exposes sensitive build artifacts to unauthorized access if storage is compromised.

Impact

Unencrypted CodeBuild artifacts can be accessed or tampered with by anyone who gains access to the storage location, potentially leading to exposure of proprietary code, credentials, or other sensitive information, and increasing the risk of data breaches or supply chain attacks.

Command Shell in Externally Accessible Directory

Property
Languagepython
Severitylow
CWECWE-553: Command Shell in Externally Accessible Directory
Confidence LevelLow
Impact LevelMedium
Likelihood LevelLow

Description

The code implements a reverse shell by connecting to a remote server and spawning a shell process (like /bin/sh), which can give an attacker remote command execution on your system. This behavior allows someone to control the affected machine over the network.

Impact

If exploited, an attacker could gain full remote access to the server, allowing them to run arbitrary commands, steal sensitive data, modify files, or use the machine as part of a larger attack. This can lead to complete system compromise and data breaches.

Compiler Removal of Code to Clear Buffers

Property
Languagec
Severitylow
CWECWE-14: Compiler Removal of Code to Clear Buffers
OWASPA04:2021 - Insecure Design
Confidence LevelLow
Impact LevelMedium
Likelihood LevelLow

Description

Using memset() to erase sensitive data from memory is unreliable because compilers may optimize away these calls, leaving sensitive information in memory. Instead, memset_s() should be used to securely clear buffers containing confidential data.

Impact

If sensitive data like passwords or cryptographic keys remain in memory due to ineffective clearing, attackers could retrieve this information through memory dumps or after buffer reuse, leading to data breaches or compromise of critical systems.

Compute instance requests an IP reservation from a public pool

Property
Languageterraform
Severitycritical
Servicecompute
ProviderOracle
Vulnerability Typemisconfiguration

Description

A compute instance is configured to reserve an IP address from a public IP pool, making it accessible from the internet. This exposure increases the risk of unauthorized access if proper security controls are not enforced.

Impact

If exploited, attackers could connect directly to the compute instance from outside the organization’s network, potentially leading to data breaches, service disruption, or unauthorized control over the instance.

Config configuration aggregator should be using all regions for source

Property
Languageterraform
Severityhigh
Serviceconfig
ProviderAWS
Vulnerability Typemisconfiguration

Description

The AWS Config configuration aggregator is not set to collect configuration data from all regions, leaving some regions unmonitored. This creates gaps in visibility over resource configurations.

Impact

Resources deployed in regions not included by the aggregator will not be monitored, potentially allowing unauthorized or misconfigured assets to go undetected. This can lead to compliance failures and increase the risk of security incidents in unmonitored regions.

ConfigMap with secrets

Property
Languageterraform
Severityhigh
Vulnerability Typeomission

Description

Sensitive information such as passwords or secrets is being stored in Kubernetes ConfigMaps, which are not designed for secure storage and do not provide encryption or access restrictions. This practice exposes confidential data in plain text within the cluster.

Impact

An attacker or unauthorized user with access to the cluster can easily retrieve sensitive credentials from ConfigMaps, potentially leading to unauthorized access to databases, services, or external systems, and resulting in data breaches or service compromise.

ConfigMap with sensitive content

Property
Languageterraform
Severitymedium
Vulnerability Typeomission

Description

Sensitive information such as usernames and email addresses is being stored in Kubernetes ConfigMaps, which are not designed for secure data storage. ConfigMaps store data in plaintext and are accessible to any pod with read permissions.

Impact

If exploited, attackers or unauthorized users with access to the cluster can read sensitive data from ConfigMaps, leading to credential exposure, privacy breaches, or facilitating further attacks against the environment.

Configuration

Property
Languagehcl
Severitylow
CWECWE-16: CWE CATEGORY: Configuration
OWASPA06:2017 - Security Misconfiguration
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The storage account network rules are configured with ‘default_action’ set to ‘Allow’ instead of ‘Deny’, which means that, by default, network traffic is permitted unless explicitly blocked. This leaves the storage account open to unintended access from unauthorized sources.

Impact

If the default action is not set to ‘Deny’, attackers or unauthorized users could potentially access sensitive data in the storage account from untrusted networks. This increases the risk of data breaches, information leakage, and potential compliance violations for the organization.