SYM_CONF_0119 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Server-Side Request Forgery (SSRF)
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-918: Server-Side Request Forgery (SSRF) |
| OWASP | A10:2021 - Server-Side Request Forgery (SSRF) |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
The EC2 instance is configured to allow the older Instance Metadata Service v1 (IMDSv1) by not requiring IMDSv2 tokens. This weakens security by making the metadata service more accessible to potential attackers.
Impact
If exploited, attackers could use Server-Side Request Forgery (SSRF) or other methods to access sensitive instance metadata, such as credentials or configuration details, potentially leading to unauthorized AWS access or privilege escalation.