SYM_CONF_0164 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Key Management Errors
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-320: CWE CATEGORY: Key Management Errors |
| OWASP | A03:2017 - Sensitive Data Exposure |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The Vertex AI Metadata Store resource is not configured to use a customer-managed encryption key (CMK) for its data. This means sensitive metadata may be encrypted only with default Google-managed keys, reducing control over data security.
Impact
Without a CMK, your organization cannot control or revoke encryption keys, making it harder to manage access to sensitive information. If Google's default keys are compromised or subpoenaed, attackers or unauthorized parties could potentially access confidential metadata stored in Vertex AI.