Permissive Cross-domain Policy with Untrusted Domains
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-942: Permissive Cross-domain Policy with Untrusted Domains |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
The CORS configuration for this S3 bucket allows any website to access its resources by setting allowed_origins to ‘*’. This means requests from any domain are permitted, which is insecure.
Impact#
An attacker could interact with your bucket from any malicious website, potentially exposing sensitive data, enabling unauthorized data downloads, or making your resources vulnerable to misuse. This weakens access control and can lead to data leakage or abuse.