Improper Access Control
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The virtual machine resource allows extensions to be installed by default, which could enable unauthorized or unmonitored code to run on the VM. Not setting ‘allow_extension_operations = false’ leaves the VM open to potential misuse.
Impact#
If exploited, attackers or unauthorized users could install malicious extensions, leading to data breaches, privilege escalation, or compromise of the virtual machine. This can result in loss of control over the VM, exposure of sensitive information, and increased risk of further attacks across the environment.