SYM_CONF_0159 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Access Control
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
Disabling OS Login on a Google Compute instance overrides the project-wide security setting and allows users to connect using SSH keys stored in instance metadata, reducing centralized access control.
Impact
Attackers or unauthorized users could gain direct SSH access to instances by bypassing organization-wide login policies, increasing the risk of unauthorized access and making it harder to audit and manage user permissions across your cloud infrastructure.