SYM_CONF_0040 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Permissions, Privileges, and Access Controls
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | High |
| Likelihood Level | Low |
Description
This S3 bucket policy allows public (everyone) access by setting the Principal to '*', making the bucket or its contents accessible to anyone on the internet. Such configurations expose your data to unauthorized users.
Impact
If exploited, attackers or unintended users could view, download, modify, or delete files in your S3 bucket, leading to data leaks, loss of sensitive information, or potential service disruption. This can result in reputational damage, regulatory penalties, and loss of customer trust.