SYM_CONF_0177 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Access Control
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The Cloud Run service is configured to grant access to 'allUsers' or 'allAuthenticatedUsers', making it publicly accessible to anyone on the internet or any authenticated Google user. This exposes your service to unauthorized access.
Impact
If exploited, anyone—even without proper permissions—could invoke your Cloud Run service, potentially leaking sensitive data or allowing misuse of backend functionality. This increases the risk of data breaches, unauthorized actions, and abuse of your cloud resources.