SYM_CONF_0268 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Incorrect Permission Assignment for Critical Resource
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-732: Incorrect Permission Assignment for Critical Resource |
| OWASP | A05:2021 - Security Misconfiguration |
| Confidence Level | Low |
| Impact Level | Medium |
| Likelihood Level | Low |
Description
The SQS queue policy grants permissions using a wildcard ('' or 'sqs:') in the Action field, allowing all possible actions instead of only those required. This does not follow the principle of least privilege and exposes the queue to unnecessary risks.
Impact
If exploited, attackers or unauthorized users could perform any action on the SQS queue, including deleting messages, modifying queue attributes, or deleting the queue itself. This could lead to data loss, service disruption, or unauthorized access to sensitive information.