SYM_CONF_0220 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Access Control
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
Granting organization-level IAM roles to default Compute Engine service accounts in GCP can unintentionally give broad permissions to these accounts. This practice increases the risk of privilege misuse if the default service account is compromised.
Impact
If an attacker gains access to a default service account with organization-level permissions, they could manipulate resources across the entire GCP organization, leading to data leaks, unauthorized changes, or disruption of critical services.