SYM_CONF_0167 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Access Control
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
Assigning the 'roles/editor' permission at the organization level in GCP allows users to manage all resources, including impersonating and managing all service accounts. This grants overly broad privileges that can lead to unauthorized actions.
Impact
If exploited, an attacker or unauthorized user could gain full control over resources and service accounts across the entire organization. This could allow them to access sensitive data, escalate privileges, or disrupt organizational operations.