Improper Access Control
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
Defining custom Azure subscription roles with full permissions (using ‘actions = ["*"]’) grants unrestricted access to all resources. This effectively creates a new owner role, which can bypass intended access controls.
Impact#
If exploited, users assigned to these custom roles can perform any action within the subscription, including modifying or deleting resources, changing configurations, and accessing sensitive data. This increases the risk of accidental or malicious changes, leading to potential data loss, service outages, or security breaches.