Deserialization of Untrusted Data

Property
Languageruby
Severityhigh
CWECWE-502: Deserialization of Untrusted Data
OWASPA08:2017 - Insecure Deserialization
Confidence LevelMedium
Impact LevelHigh
Likelihood LevelMedium

Description

The code deserializes user-supplied input (such as from params or cookies) using functions like Marshal.load, CSV.load, or Oj.load. This lets attackers send crafted data that, when loaded, could execute malicious code.

Impact

If exploited, an attacker could execute arbitrary code on your server, potentially leading to data theft, system compromise, or full takeover of the application environment. This poses a critical risk to both user data and infrastructure.

Deserialization of Untrusted Data

Property
Languageruby
Severitymedium
CWECWE-502: Deserialization of Untrusted Data
OWASPA08:2017 - Insecure Deserialization
Confidence LevelLow
Impact LevelHigh
Likelihood LevelLow

Description

The application is deserializing data from user-controlled environment variables using methods like Marshal.load, Oj.load, or CSV.load. This allows attackers to inject malicious data that could be executed when deserialized.

Impact

An attacker could exploit this vulnerability to execute arbitrary code on the server, potentially compromising sensitive data, gaining unauthorized access, or taking full control of the application and underlying system.

Deserialization of Untrusted Data

Property
Languageruby
Severityhigh
CWECWE-502: Deserialization of Untrusted Data
OWASPA08:2017 - Insecure Deserialization
Confidence LevelMedium
Impact LevelHigh
Likelihood LevelMedium

Description

The code is deserializing data from the event object using methods like Marshal.load, YAML.load, or CSV.load. Deserializing untrusted user input in this way is unsafe and can let attackers execute malicious code.

Impact

If exploited, an attacker could run arbitrary code on your server, gain unauthorized access to sensitive data, or take control of the application. This could lead to data breaches, system compromise, or full takeover of your application infrastructure.

Disable local_infile setting in MySQL

Property
Languageterraform
Severityhigh
Servicesql
ProviderGoogle
Vulnerability Typemisconfiguration

Description

Enabling the MySQL ’local_infile’ setting allows the database to read local files from the server’s filesystem using the LOAD DATA statement, which can expose sensitive files if not properly controlled.

Impact

If combined with a SQL injection vulnerability, attackers could use this setting to read arbitrary files from the database server, potentially leaking credentials, configuration files, or other sensitive data, leading to significant data breaches.

Disable project-wide SSH keys for all instances

Property
Languageterraform
Severitymedium
Servicecompute
ProviderGoogle
Vulnerability Typeomission

Description

Project-wide SSH keys are enabled for Google Compute instances, allowing the same SSH keys to access all instances in the project. This configuration increases the attack surface by not restricting access to specific instances.

Impact

If any project-wide SSH key is compromised, an attacker can gain unauthorized access to all instances in the project, potentially leading to full environment compromise, data breaches, or service disruption.

Disable serial port connectivity for all instances

Property
Languageterraform
Severitymedium
Servicecompute
ProviderGoogle
Vulnerability Typemisconfiguration

Description

Enabling serial port access on Google Compute Engine instances bypasses standard network security controls, allowing unmanaged external connections to the instance console. This configuration may expose the serial console to unauthorized access.

Impact

If exploited, attackers could gain direct console-level access to virtual machines, potentially allowing them to execute commands, access sensitive data, or disrupt system operations, leading to compromise or loss of control over affected instances.

Disable Unused Credentials 45 Days

Property
Languageterraform
Severitylow
Serviceiam
ProviderAWS

Description

Disabling or removing unnecessary credentials will reduce the window of opportunity for credentials associated with a compromised or abandoned account to be used.

Resolution

Disable credentials which are no longer used.

Disks should be encrypted with customer managed encryption keys

Property
Languageterraform
Severitylow
Servicecompute
ProviderGoogle

Description

Google Compute disks are not encrypted using customer-managed encryption keys, relying instead on default or unmanaged keys. This limits control over key rotation and access management, reducing the overall security of stored data.

Impact

Without customer-managed keys, organizations cannot enforce strict access controls or rotate encryption keys as needed, increasing the risk of unauthorized data access if the default keys are compromised or mismanaged.

Divide By Zero

Property
Languageruby
Severitymedium
CWECWE-369: Divide By Zero
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

The code performs a division operation where the denominator could be zero. This can cause a ZeroDivisionError at runtime, leading to unexpected crashes or application instability.

Impact

If exploited, this vulnerability could allow attackers or users to trigger application errors or service outages by providing input that results in division by zero. This can disrupt availability, potentially expose error details, and degrade user trust or system reliability.

dnf clean all’ missing

Property
Languageterraform
Severityhigh
Vulnerability Typeomission

Description

The Dockerfile installs packages with ‘dnf’ but does not run ‘dnf clean all’ afterward, leaving cached package data in the image. This unnecessary cache increases the image size and may persist sensitive or outdated package metadata.

Impact

Leaving package caches in container images increases their size, which can lead to longer build and deployment times, higher storage costs, and a larger attack surface if sensitive package data is exposed. Attackers could exploit outdated or unnecessary files for reconnaissance or to identify vulnerabilities.