SYM_CONF_0121 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Exposure of Sensitive Information to an Unauthorized Actor
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
The S3 bucket is configured with 'public-read-write' access, allowing anyone on the internet to read from and write to the bucket. This exposes all data in the bucket to unauthorized users and permits them to upload, modify, or delete content.
Impact
If exploited, attackers could steal, alter, or delete sensitive files stored in the bucket. This can lead to data breaches, loss of business-critical information, and potential service disruptions, as well as regulatory and reputational damage for the organization.