SYM_CONF_0210 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Access Control
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
Assigning the 'Service Account User' or 'Service Account Token Creator' roles to users at the project level grants broad permissions to impersonate or act as any service account in the project. This increases the risk of privilege misuse or unauthorized access.
Impact
If exploited, an attacker or overly-permissioned user could use these roles to assume the identity of any service account, potentially accessing sensitive resources, escalating privileges, or bypassing intended access controls across the entire project.