Improper Access Control
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The Key Vault resource is configured without setting the network ACL ‘default_action’ to ‘Deny’. This means that, by default, network traffic not explicitly allowed may still access the Key Vault, increasing exposure to unauthorized access.
Impact#
If exploited, attackers or unauthorized users could potentially connect to and access sensitive secrets or keys stored in the Key Vault from unapproved networks. This can lead to data breaches, secret leakage, and compromise of secure operations relying on the Key Vault.