SYM_CONF_0198 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Access Control
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
The GKE cluster configuration is missing 'master_authorized_networks_config', which means access to the Kubernetes master endpoint is not restricted to specific IP addresses. This allows connections from any source, increasing exposure to unauthorized access.
Impact
Without restricting master access, attackers could potentially reach and compromise the Kubernetes control plane, leading to cluster takeover, data breaches, or disruption of services. Sensitive operations and workloads could be exposed to the internet or untrusted networks.