SYM_CONF_0222 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Improper Access Control
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-284: Improper Access Control |
| OWASP | A05:2017 - Broken Access Control |
| Confidence Level | Low |
| Impact Level | Low |
| Likelihood Level | Low |
Description
Assigning the 'roles/editor' role at the organization level in GCP gives users broad permissions, including the ability to impersonate and manage all service accounts. This overly permissive access can expose sensitive cloud resources to misuse.
Impact
If exploited, attackers or unauthorized users could gain control over all service accounts, potentially allowing them to escalate privileges, access confidential data, and perform destructive actions across your entire GCP organization.