Improper Access Control

Property
Languagehcl
Severityhigh
CWECWE-284: Improper Access Control
OWASPA05:2017 - Sensitive Data Exposure
Confidence LevelMedium
Impact LevelHigh
Likelihood LevelMedium

Description

The IAM policy for GitHub OpenID Connect (OIDC) integration is missing a ‘condition’ block that restricts access to specific GitHub repositories. Without this, any GitHub user can potentially assume the associated AWS role.

Impact

If exploited, attackers could use their own GitHub repositories to obtain AWS credentials via OIDC, leading to unauthorized access to sensitive AWS resources. This can result in data breaches, resource manipulation, or compromise of your AWS environment.

Improper Access Control

Property
Languagehcl
Severitymedium
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelLow

Description

Assigning a public IP address to an AWS EC2 instance exposes it directly to the internet, making it accessible from anywhere. This increases the risk of unauthorized access or attacks on the instance.

Impact

If exploited, attackers could connect directly to the EC2 instance, potentially gaining access to sensitive data or control over the system. This exposure can lead to data breaches, service disruptions, or use of your resources for malicious purposes.

Improper Access Control

Property
Languagehcl
Severitymedium
CWECWE-284: Improper Access Control
OWASPA01:2021 - Broken Access Control
Confidence LevelLow
Impact LevelMedium
Likelihood LevelMedium

Description

The network ACL rule allows all inbound or outbound traffic across all ports, instead of restricting access to only necessary ports. This overly permissive configuration exposes your AWS resources to unwanted network access.

Impact

If exploited, attackers could access any service or application running in your VPC, increasing the risk of unauthorized access, data breaches, and lateral movement within your environment. This weakens your network’s security posture and may lead to compromise of sensitive assets.

Improper Access Control

Property
Languagehcl
Severitylow
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelLow
Impact LevelLow
Likelihood LevelLow

Description

The AWS Redshift cluster resource is missing configuration for encryption with a customer-managed KMS key. Without specifying a KMS key, your data at rest is not properly encrypted or controlled.

Impact

If encryption with a customer-managed KMS key is not enabled, sensitive data stored in the Redshift cluster could be exposed if the infrastructure is compromised. This increases the risk of unauthorized data access and may violate compliance requirements.

Improper Access Control

Property
Languagehcl
Severitymedium
CWECWE-284: Improper Access Control
OWASPA01:2021 - Broken Access Control
Confidence LevelLow
Impact LevelMedium
Likelihood LevelMedium

Description

This code configures an AWS security group to allow incoming traffic from any IP address on the public internet. Allowing unrestricted public ingress greatly increases exposure to unauthorized access.

Impact

Attackers could directly reach and attempt to exploit your resources, potentially leading to data breaches, service disruption, or unauthorized control of your infrastructure. Exposed ports may be targeted by automated scanning and attacks, putting your systems and sensitive data at significant risk.

Improper Access Control

Property
Languagehcl
Severitymedium
CWECWE-284: Improper Access Control
OWASPA01:2021 - Broken Access Control
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelLow

Description

The subnet configuration assigns public IP addresses to resources by default, making them directly accessible from the internet. This increases the risk of unauthorized access if resources are not properly secured.

Impact

If exploited, attackers could connect to exposed resources such as servers or databases, potentially leading to data breaches, service disruption, or unauthorized control over your infrastructure. Publicly accessible resources are a common entry point for cyberattacks.

Improper Access Control

Property
Languagephp
Severitymedium
CWECWE-284: Improper Access Control
OWASPA01:2021 - Broken Access Control
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

The session variable key is being set using untrusted user input, allowing attackers to control which session variables are modified or created. This breaks the expectation that only the application sets session data.

Impact

An attacker could overwrite or inject arbitrary session values, potentially gaining unauthorized access, escalating privileges, or tampering with user data. This can lead to broken access control, account takeover, or other serious security breaches.

Improper Access Control

Property
Languageruby
Severitymedium
CWECWE-284: Improper Access Control
OWASPA05:2017 - Broken Access Control
Confidence LevelMedium
Impact LevelMedium
Likelihood LevelMedium

Description

Using :except with skip_before_filter, skip_before_action, or skip_filter in Rails controllers can unintentionally disable important security checks for most actions, increasing the risk of access control mistakes. It’s safer to explicitly specify which actions should skip filters using :only.

Impact

If exploited, attackers may gain unauthorized access to sensitive controller actions that should be protected, leading to data leaks, privilege escalation, or unauthorized operations. This can compromise user data and application integrity.

Improper Access Control

Property
Languagesolidity
Severityhigh
CWECWE-284: Improper Access Control
Confidence LevelLow
Impact LevelHigh
Likelihood LevelHigh

Description

The burn function allows any user to burn (destroy) tokens from any account, rather than restricting this action to the token owner. This means someone could burn tokens belonging to other users without their permission.

Impact

If exploited, an attacker could destroy tokens from any user’s account, causing loss of funds, disrupting user balances, and potentially undermining trust in the token contract. This could result in significant financial damage and reputational loss for the project.

Improper Access Control

Property
Languagesolidity
Severitymedium
CWECWE-284: Improper Access Control
Confidence LevelMedium
Impact LevelHigh
Likelihood LevelLow

Description

The sweepToken function lacks proper access control, allowing anyone to call it and transfer tokens from the contract. This exposes critical contract assets to unauthorized users.

Impact

If exploited, an attacker could drain tokens held by the contract, leading to significant financial losses. This can undermine user trust, disrupt protocol operations, and result in irrecoverable asset theft from the platform.