Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Cloud Run service is configured to grant access to ‘allUsers’ or ‘allAuthenticatedUsers’, making it publicly accessible to anyone on the internet or any authenticated Google user. This exposes your service to unauthorized access.

Impact

If exploited, anyone—even without proper permissions—could invoke your Cloud Run service, potentially leaking sensitive data or allowing misuse of backend functionality. This increases the risk of data breaches, unauthorized actions, and abuse of your cloud resources.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The firewall rule allows incoming RDP (TCP port 3389) connections from any IP address, exposing remote desktop access to the public internet. This unrestricted access makes the server vulnerable to unauthorized login attempts and attacks.

Impact

If exploited, attackers could attempt to gain remote control of your virtual machines via RDP, leading to possible data breaches, resource misuse, or full environment compromise. Exposing RDP to the internet significantly increases the risk of brute-force attacks and unauthorized access.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The Dataproc cluster IAM binding includes ‘allUsers’ or ‘allAuthenticatedUsers’ in the members list, which grants access to anyone on the internet or any authenticated Google user. This makes the cluster publicly or anonymously accessible, exposing sensitive resources.

Impact

If exploited, unauthorized users could access, modify, or disrupt your Dataproc cluster, potentially leading to data leaks, resource misuse, or loss of control over your processing jobs. This can result in data breaches, increased costs, and regulatory violations.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Granting organization-level IAM roles to default Google Compute Engine service accounts allows these accounts broad access across all projects. Default service accounts are not intended for organization-wide use and may be abused if compromised.

Impact

If exploited, attackers could use the overly-permissive default service account to access or modify resources across the entire Google Cloud organization, potentially leading to data breaches, privilege escalation, or unauthorized changes to cloud infrastructure.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The firewall configuration allows incoming FTP (TCP port 21) traffic from any IP address, making the service publicly accessible. This exposes the server to unauthorized access attempts over FTP.

Impact

Attackers could exploit this open access to attempt brute-force logins, transfer malicious files, or abuse the FTP service, potentially leading to data breaches or further compromise of resources within your Google Cloud environment.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The firewall rule allows incoming HTTP (port 80) traffic from any IP address (0.0.0.0/0), exposing your Google Cloud resources to the public internet. This configuration lacks proper access restrictions and makes your services open to everyone.

Impact

An attacker could access exposed HTTP services, potentially leading to unauthorized data exposure, service misuse, or exploitation of application vulnerabilities. Unrestricted public access increases the risk of attacks such as brute-force attempts, data breaches, or denial-of-service, which could compromise your organization’s security and operations.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Enabling ‘can_ip_forward’ on a Google Compute Instance Template allows instances to forward network packets, effectively making them act as network routers. This increases the risk of traffic being routed through unintended or insecure paths.

Impact

If IP forwarding is enabled, an attacker could route unauthorized or malicious traffic through your instances, potentially exposing sensitive data or enabling lateral movement within your network. This can lead to data breaches or compromise of other systems.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Enabling ‘serial-port-enable’ on a Google Compute Engine VM allows connections to the VM’s serial port, which can expose sensitive system access if not properly restricted. This setting should be disabled unless explicitly required for debugging or troubleshooting.

Impact

If attackers gain access to the serial port, they could potentially bypass standard authentication, view sensitive console output, or execute commands directly on the VM. This increases the risk of unauthorized access and compromise of the virtual machine and its data.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Assigning the ‘roles/editor’ permission at the folder level in GCP allows users to manage all resources, including the ability to impersonate and control all service accounts within that folder. This grants broad and sensitive access beyond what is typically necessary.

Impact

If exploited, an attacker or unauthorized user could take control of service accounts, escalate privileges, and access or modify resources across all projects in the folder. This can lead to data breaches, unauthorized actions, and compromise of critical cloud infrastructure.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

Legacy ABAC authorization is enabled on this GKE cluster, which uses outdated access controls and can grant users overly broad permissions. This setting bypasses modern, more secure RBAC policies.

Impact

If exploited, attackers or unauthorized users could gain excessive privileges within the cluster, potentially allowing them to read, modify, or delete resources and compromise workloads. This weakens security boundaries and increases the risk of data breaches or service disruptions.