SYM_CONF_0158 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Access Control
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The GKE control plane is publicly accessible because 'master_authorized_networks_config' is not set, leaving it open to connections from any IP address. This exposes the Kubernetes API server to the internet without network restrictions.
Impact
If left public, attackers could attempt unauthorized access to your Kubernetes cluster, potentially gaining control, exfiltrating data, or disrupting services. This increases the risk of compromise and may violate organizational or compliance requirements.