Property
Language	generic
Severity
CWE	CWE-16: CWE CATEGORY: Configuration
OWASP	A06:2017 - Security Misconfiguration
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

A location block in your NGINX configuration uses ‘proxy_pass’ without the ‘internal’ directive. This means the proxy endpoint is accessible to the public, which can allow external users to send arbitrary requests through your server.

Impact

If exploited, attackers could leverage your server to perform server-side request forgery (SSRF), potentially accessing internal resources, sensitive data, or abusing your infrastructure to attack other systems. This can lead to information disclosure, unauthorized access, or help attackers bypass network controls.

Property
Language	generic
Severity
CWE	CWE-16: CWE CATEGORY: Configuration
OWASP	A06:2017 - Security Misconfiguration
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

Defining the ‘add_header’ directive inside a location block in Nginx after already setting headers in the server block will override those server-level headers. This means any security headers set at the server level may be unintentionally removed or changed for that location.

Impact

Overwriting important security headers can weaken protections like HSTS, CSP, or X-Frame-Options, increasing the risk of attacks such as cross-site scripting or clickjacking. This misconfiguration may expose your application to security vulnerabilities that rely on consistent header settings.

Property
Language	generic
Severity
CWE	CWE-16: CWE CATEGORY: Configuration
OWASP	A06:2017 - Security Misconfiguration
Confidence Level	Medium
Impact Level	Low
Likelihood Level	Low

Description

The proxy configuration allows the protocol scheme (e.g., http or https) to be set dynamically, which could let an attacker influence or inject the scheme used for upstream connections. This makes it possible to force insecure or unintended connections.

Impact

If exploited, an attacker could redirect traffic over insecure channels or to malicious servers, potentially exposing sensitive data or enabling further attacks like Server-Side Request Forgery (SSRF). This could compromise user privacy and the overall security of your application.

Property
Language
Severity
Service	sql
Provider	Google
Vulnerability Type	omission

Description

Contained database authentication is enabled, allowing users with ALTER permissions to grant access to the database without administrator oversight. This bypasses centralized access controls and can lead to unauthorized access management.

Impact

If exploited, users could create or modify accounts and grant unauthorized access to the database, potentially exposing sensitive data and undermining audit and compliance controls.

Property
Language
Severity

Description

The container is configured with excessive Linux capabilities, rather than dropping all by default and only allowing NET_BIND_SERVICE. This increases the container’s privileges beyond what is necessary for binding to low ports.

Impact

If exploited, attackers could leverage unnecessary capabilities to escalate privileges or compromise the host, increasing the risk of container breakout or unauthorized access to system resources.

Resolution

Set ‘spec.containers[].securityContext.capabilities.drop’ to ‘ALL’ and only add ‘NET_BIND_SERVICE’ to ‘spec.containers[].securityContext.capabilities.add’.

Property
Language
Severity
Vulnerability Type	omission

Description

Container images are being pulled from public registries or lack a specified registry, exposing deployments to untrusted or potentially malicious images. Using public sources bypasses organizational control over image authenticity and updates.

Impact

Attackers could compromise containers by introducing malicious images or tampered software, leading to unauthorized access, data breaches, or service disruption. Reliance on public registries increases the risk of supply chain attacks and reduces visibility into image provenance.

Property
Language
Severity

Description

The configuration allows containers to run as the root user (UID 0) by explicitly setting ‘securityContext.runAsUser’ to 0. Running containers as root increases the risk of privilege escalation within the container environment.

Impact

If exploited, attackers who compromise a container can gain root-level access, potentially allowing them to break out of the container, alter system files, or escalate privileges, increasing the risk of system-wide compromise.

Property
Language
Severity
Vulnerability Type	omission

Description

The Dockerfile uses COPY –from to reference the current build stage alias, attempting to copy files from itself, which is not supported and results in build failures. This misconfiguration prevents proper multi-stage builds and can interrupt the image creation process.

Impact

If present, this issue causes Docker builds to fail, halting deployments and potentially delaying application delivery. It may block security or functionality updates, disrupt CI/CD pipelines, and increase operational risk due to incomplete or missing container images.

Property
Language
Severity
Vulnerability Type	omission

Description

A Dockerfile COPY command with more than two arguments requires the destination path (last argument) to end with a slash. Omitting the trailing slash can cause files to be copied incorrectly, resulting in an unintended directory structure within the image.

Impact

Incorrectly structured images may lead to application failures, missing dependencies, or misconfigurations. This can introduce unpredictable behavior, break deployments, or expose sensitive data if files are placed in unintended locations.

Property
Language
Severity

Description

The container configuration does not specify a CPU limit, allowing it to consume unlimited CPU resources on the host. Without this restriction, workloads can monopolize system resources uncontrollably.

Impact

If exploited, a container could consume excessive CPU, leading to resource exhaustion that may degrade or disrupt other services on the same host. This increases the risk of denial-of-service (DoS) attacks and can destabilize the entire Kubernetes cluster.