SYM_CONF_0135 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Exposure of Sensitive Information to an Unauthorized Actor
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor |
| OWASP | A01:2021 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The IAM policy grants broad permissions (like reading from S3, Secrets Manager, or RDS) to all resources ('*') without restricting access to specific resources. This means users may access sensitive data they shouldn’t be allowed to view.
Impact
If exploited, attackers or unauthorized users could read or copy confidential data from any S3 bucket, secret, or database in your AWS account, leading to data breaches, regulatory violations, or exposure of intellectual property.