1464 elementos encontrados

Debilidades

Kubernetes Misconfiguration: Static Authentication Token

YAML

Abstract

Un servidor API de Kubernetes utiliza tokens estáticos para autenticar solicitudes.

Explanation

Un servidor API de Kubernetes autentica las solicitudes comparando tokens de portador con una lista guardada en un archivo de token estático. El archivo de token almacena secretos en texto plano y es de naturaleza estática. La autenticación estática basada en tokens es susceptible a ataques por fuerza bruta y puede filtrar las credenciales de acceso a los atacantes en un entorno mal configurado. Para agregar, reemplazar o revocar un token, debe reiniciar el servidor API.

Ejemplo 1: Utilizando la marca --token-auth-file, la siguiente configuración inicia un servidor API de Kubernetes que autentica las solicitudes mediante tokens estáticos.


...
spec:
  containers:
  - command:
    - kube-apiserver
    ...
    - --token-auth-file=<filename>
    ...

References

[1] Static Token File The Kubernetes Authors

[2] Standards Mapping - CIS Kubernetes Benchmark Recommendation 1.2.2

[3] Standards Mapping - Common Weakness Enumeration CWE ID 552

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958

[5] Standards Mapping - FIPS200 CM

[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)

[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, IA-8 Identification and Authentication (Non-Organizational Users)

[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.9.1 Communications Architectural Requirements (L2 L3), 2.2.5 General Authenticator Requirements (L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.3.1 Sensitive Private Data (L1 L2 L3), 8.1.6 General Data Protection (L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.2 Server Communications Security Requirements (L2 L3), 14.4.5 HTTP Security Headers Requirements (L1 L2 L3)

[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[13] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3260 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3260 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3260 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3260 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3260 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3260 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001650 CAT II

[52] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)

desc.structural.yaml.kubernetes_misconfiguration_static_authentication_token.base

Kubernetes Misconfiguration: Unbound Controller Manager

YAML

Abstract

Un administrador de controlador de Kubernetes acepta conexiones externas.

Explanation

El administrador de controlador de Kubernetes supervisa el estado de un clúster y, si es necesario, puede realizar cambios en cualquier recurso que el clúster administre. De forma predeterminada, un administrador de controlador acepta solicitudes de conexiones externas. Desde una conexión externa, un atacante puede obtener acceso a las API sensibles a la seguridad pero insuficientemente protegidas.

Ejemplo 1: La siguiente configuración inicia un administrador de controlador de Kubernetes sin una dirección de enlace.


...
spec:
  containers:
  - command:
    - kube-controller-manager
    - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf
    - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf
    image: example.domain/kube-controller-manager:v1.9.7
    imagePullPolicy: IfNotPresent
    ...

References

[1] Kubernetes controller manager The Kubernetes Authors

[2] Standards Mapping - CIS Kubernetes Benchmark Recommendation 1.3.7

[3] Standards Mapping - Common Weakness Enumeration CWE ID 20

[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020

[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020

[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020

[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020

[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020

[9] Standards Mapping - FIPS200 CM

[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)

[13] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[14] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[15] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[29] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020

[30] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.structural.yaml.kubernetes_misconfiguration_unbound_controller_manager

Kubernetes Misconfiguration: Unbound Scheduler

YAML

Abstract

Un programador de Kubernetes acepta conexiones externas.

Explanation

El programador de Kubernetes determina dónde se ejecutan los pods. De forma predeterminada, un programador acepta solicitudes de conexiones externas. Desde una conexión externa, un atacante puede acceder a las API sensibles a la seguridad y con protección insuficiente.

Ejemplo 1: La siguiente configuración inicia un programador de Kubernetes sin una dirección de enlace.


...
spec:
  containers:
    - command:
      - kube-scheduler
    image: example.domain/kube-scheduler:v1.5.2
    imagePullPolicy: IfNotPresent
    ...

References

[1] Kubernetes Scheduler The Kubernetes Authors

[2] Standards Mapping - CIS Kubernetes Benchmark Recommendation 1.4.2

[3] Standards Mapping - Common Weakness Enumeration CWE ID 20

[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020

[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020

[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020

[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020

[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020

[9] Standards Mapping - FIPS200 CM

[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)

[12] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[28] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020

[29] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.structural.yaml.kubernetes_misconfiguration_unbound_scheduler

Kubernetes Misconfiguration: Unconfigured API Server Logging

YAML

Abstract

Un servidor API de Kubernetes se inicia sin definir una directiva para registrar eventos de auditoría.

Explanation

Un servidor API de Kubernetes no registra eventos si no se especifica un archivo de directiva de auditoría. Los registros de eventos contienen datos valiosos que se utilizan para identificar incidentes de seguridad, supervisar infracciones de directivas y ayudar con los controles de no repudio.

Ejemplo 1: La siguiente configuración inicia un servidor API de Kubernetes sin la marca --audit-policy-file.


...
spec:
  containers:
  - command:
    - kube-apiserver
    - --audit-log-path=<the log file path>
  image: example.domain/kube-apiserver-amd64:v1.6.0
  ...

References

[1] Audit Policy The Kubernetes Authors

[2] Standards Mapping - CIS Kubernetes Benchmark Recommendation 3.2.1

[3] Standards Mapping - Common Weakness Enumeration CWE ID 778

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172

[5] Standards Mapping - FIPS200 CM

[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)

[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation

[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)

[11] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[13] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[14] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[15] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring

[16] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking

[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000830 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000830 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000830 CAT II

[52] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.structural.yaml.kubernetes_misconfiguration_unconfigured_api_server_logging.base

Kubernetes Misconfiguration: Uncontrolled Kubelet Resource Consumption

YAML

Abstract

Una configuración permite un consumo ilimitado de recursos.

Explanation

Los recursos computacionales facturables incluyen, entre otros, el uso de CPU, la memoria, el almacenamiento persistente y las conexiones de red. En ausencia de límites de uso de recursos, los atacantes podrían provocar una denegación de servicio que consuma todos los recursos disponibles o incurra en facturas exorbitantes.

References

[1] Standards Mapping - CIS Kubernetes Benchmark Recommendation 4.2.13

[2] Standards Mapping - Common Weakness Enumeration CWE ID 770

[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [24] CWE ID 400

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[7] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption, API8 Security Misconfiguration

[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[9] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation

[23] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404

[24] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II

[47] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[48] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.structural.iac.misconfiguration_uncontrolled_resource_consumption.base

Kubernetes Misconfiguration: Weak etcd SSL Certificate

YAML

Abstract

Una instancia de etcd acepta conexiones TLS de clientes que utilizan certificados autofirmados.

Explanation

Kubernetes mantiene datos confidenciales en un clúster etcd. Por lo tanto, cada instancia de etcd solo debe aceptar conexiones de clientes autenticados y autorizados y rechazar cualquier cliente que use un certificado autofirmado para conexiones TLS.

Ejemplo 1: La siguiente configuración inicia una instancia etcd y establece la marca --auto-tls en true. Como resultado, la instancia etcd usa certificados autofirmados para las conexiones TLS con los clientes.


...
spec:
  containers:
  - command:
...
    - etcd
    ...
    - --auto-tls=true
    ...

References

[1] Operating etcd clusters for Kubernetes The Kubernetes Authors

[2] etcd configuration etcd Authors

[3] Standards Mapping - CIS Kubernetes Benchmark Recommendation 2.3

[4] Standards Mapping - Common Weakness Enumeration CWE ID 296

[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [25] CWE ID 295

[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287

[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287

[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287

[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000166, CCI-000185, CCI-001941, CCI-001942

[11] Standards Mapping - FIPS200 CM

[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), IA-5 Authenticator Management (P1), SC-17 Public Key Infrastructure Certificates (P1)

[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), IA-5 Authenticator Management, SC-17 Public Key Infrastructure Certificates

[15] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[17] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.9

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3305 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3305 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3305 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3305 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3305 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3305 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3305 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[58] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15), Insufficient Authentication (WASC-01)

[59] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication

desc.structural.yaml.kubernetes_misconfiguration_weak_etcd_ssl_certificate.base

Kubernetes Misconfiguration: Weak SSL Certificate for Kubelet

YAML

Abstract

Kubelet usa un certificado autofirmado para conexiones TLS en ausencia de una definición de certificado x509.

Explanation

Los campos tlsCertFile y tlsPrivateKeyFile en una configuración de Kubelet definen el certificado x509 utilizado para servir HTTPS. Al no proporcionar ambos, se generan un certificado y una clave autofirmados para la dirección pública, que queda expuesta a un ataque "man-in-the-middle".

Ejemplo 1: La siguiente configuración de Kubelet no especifica los campos tlsCertFile y tlsPrivateKeyFile para que Kubelet genere automáticamente un certificado autofirmado para las conexiones TLS.


apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration

References

[1] Set Kubelet parameters via a config file The Kubernetes Authors

[2] Kubelet The Kubernetes Authors

[3] Standards Mapping - CIS Kubernetes Benchmark Recommendation 4.2.9

[4] Standards Mapping - Common Weakness Enumeration CWE ID 311

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-000166, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123

[6] Standards Mapping - FIPS200 CM, SC

[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), AU-10 Non-Repudiation (P2), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, AU-10 Non-Repudiation, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity

[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[12] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[14] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[15] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications

[31] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319

[32] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311

[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311

[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-000590 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-000590 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-000590 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)

[58] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.structural.yaml.kubernetes_misconfiguration_weak_ssl_certificate_for_kubelet

Kubernetes Terraform Misconfiguration: Improper DaemonSet Access Control

Abstract

Una configuración no aplica controles de acceso adecuados.

Explanation

El acceso no controlado a recursos críticos o confidenciales puede afectar significativamente a una organización de varias maneras, incluida la divulgación o manipulación de datos críticos.

References

[1] Open Web Application Security Project (OWASP) Authorization Cheat Sheet

[2] Standards Mapping - CIS Kubernetes Benchmark Recommendation 5.1.5

[3] Standards Mapping - Common Weakness Enumeration CWE ID 284

[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862

[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[8] Standards Mapping - FIPS200 AC

[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), SC-3 Security Function Isolation (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, SC-3 Security Function Isolation

[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)

[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 1.4.2

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[32] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863

[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863

[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.iac.misconfiguration_improper_access_control.base

Kubernetes Terraform Misconfiguration: Improper Deployment Access Control