SYM_CONF_0179 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Access Control
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The Dataproc cluster IAM binding includes 'allUsers' or 'allAuthenticatedUsers' in the members list, which grants access to anyone on the internet or any authenticated Google user. This makes the cluster publicly or anonymously accessible, exposing sensitive resources.
Impact
If exploited, unauthorized users could access, modify, or disrupt your Dataproc cluster, potentially leading to data leaks, resource misuse, or loss of control over your processing jobs. This can result in data breaches, increased costs, and regulatory violations.