Generation of Weak Initialization Vector (IV)

Property
Languagejavascript
Severityhigh
CWECWE-1204: Generation of Weak Initialization Vector (IV)
Confidence LevelHigh
Impact LevelMedium
Likelihood LevelHigh

Description

Using ‘createCipher’ or ‘createDecipher’ in Node.js is insecure because these functions always use the same initialization vector (IV), making encrypted data predictable and vulnerable to attacks. Instead, use ‘createCipheriv’ or ‘createDecipheriv’ to provide a unique IV for each operation.

Impact

If exploited, attackers can decrypt or tamper with sensitive data, especially if the same key is reused. This breaks both data confidentiality and integrity, potentially exposing user information or allowing unauthorized data manipulation.

GitHub branch protection does not require signed commits.

Property
Languageterraform
Severityhigh
Servicebranch_protections
ProviderGitHub
Vulnerability Typeomission

Description

Branch protection rules on GitHub are configured without requiring signed commits, allowing unsigned or unverified commits to be pushed to protected branches. This weakens the trustworthiness of commit history and increases the risk of unauthorized changes.

Impact

Without enforcing signed commits, attackers or unauthorized users could introduce unverified changes to critical branches, making it difficult to trace the origin of code and increasing the risk of malicious or unauthorized code being merged into production.

GitHub repository has vulnerability alerts disabled.

Property
Languageterraform
Severityhigh
Servicerepositories
ProviderGitHub
Vulnerability Typeomission

Description

The GitHub repository is configured with vulnerability alerts disabled, which prevents automated notifications about known security issues in dependencies. This setting leaves the repository unaware of vulnerabilities that could be present in its codebase.

Impact

Without vulnerability alerts, critical security flaws in repository dependencies may go undetected, increasing the risk of attackers exploiting known vulnerabilities. This can lead to data breaches, compromised application integrity, and potential exposure of sensitive information.

GitHub repository shouldn’t be public.

Property
Languageterraform
Severitycritical
Servicerepositories
ProviderGitHub
Vulnerability Typeomission

Description

The configuration allows a GitHub repository to be public, making all its contents accessible to anyone on the internet. Sensitive code, credentials, or intellectual property stored in the repository are exposed without restriction.

Impact

Attackers or unauthorized users can freely access, copy, and distribute the repository’s contents, potentially leading to data leaks, intellectual property theft, or compromise of other systems if secrets are exposed.

GKE Control Plane should not be publicly accessible

Property
Languageterraform
Severityhigh
Servicegke
ProviderGoogle
Vulnerability Typemisconfiguration

Description

The GKE control plane is configured to be accessible from the public internet, allowing connections from any IP address rather than restricting access to trusted networks. This exposes critical cluster management endpoints to potential unauthorized access.

Impact

If exploited, attackers could gain access to the cluster’s control plane, enabling them to manipulate workloads, exfiltrate data, or disrupt cluster operations. This significantly increases the risk of unauthorized control, data breaches, and service outages.

hostPath volume mounted with docker.sock

Property
Languageterraform
Severityhigh
Vulnerability Typemisconfiguration

Description

Mounting the host’s /var/run/docker.sock into a container using a hostPath volume gives the container direct access to the Docker daemon, effectively granting it root-level control over the host system.

Impact

If exploited, this allows attackers within the compromised container to control Docker on the host, potentially launching new privileged containers, modifying existing ones, or taking full control of the host, leading to complete environment compromise.

hostPath volumes mounted

Property
Languageterraform
Severitymedium
Vulnerability Typemisconfiguration

Description

The configuration mounts a hostPath volume into a Kubernetes pod, which gives containers direct access to the underlying node’s filesystem. This practice bypasses Kubernetes isolation and is not allowed by pod security standards.

Impact

Exploiting this vulnerability could allow a compromised container to read, modify, or delete files on the host node, potentially leading to container escapes, privilege escalation, or disruption of other workloads running on the same node.

IAM granted directly to user.

Property
Languageterraform
Severitymedium
Serviceiam
ProviderGoogle
Vulnerability Typeomission

Description

The configuration grants IAM permissions directly to individual user accounts instead of assigning them through roles, groups, or service accounts, making access control harder to manage and audit. This approach increases the risk of misconfiguration and unauthorized access.

Impact

Directly assigning permissions to users can lead to excessive or lingering privileges, complicate revocation processes, and increase the risk of accidental or intentional misuse. This can result in unauthorized access to sensitive resources, data exposure, or disruption of critical services.

IAM groups should have MFA enforcement activated.

Property
Languageterraform
Severitymedium
Serviceiam
ProviderAWS
Vulnerability Typeomission

Description

IAM groups are configured without enforcing multi-factor authentication (MFA), allowing users to access resources with only a password. This setup lacks an important security layer against unauthorized access in case credentials are compromised.

Impact

Without MFA enforcement, attackers who obtain user passwords can access sensitive AWS resources, increasing the risk of data breaches, privilege escalation, and unauthorized actions within the cloud environment.

IAM Pass Role Filtering

Property
Languageterraform
Severitymedium
Serviceiam
Provideraws
Vulnerability Typeomission

Description

IAM policies are allowing the ‘iam:PassRole’ action without restrictions, enabling users or roles to assign any IAM role to AWS resources. This broad permission can lead to unintended privilege escalation if not properly controlled.

Impact

If exploited, users could assign themselves or others higher-privileged roles, potentially gaining unauthorized access to sensitive resources or administrative functions. This can result in compromised accounts, data exposure, or full environment takeover.