1464 itens encontrados

Vulnerabilidades

Kubernetes Misconfiguration: Static Authentication Token

YAML

Abstract

Um servidor da API Kubernetes usa tokens estáticos para autenticar solicitações.

Explanation

Um servidor da API Kubernetes autentica solicitações comparando tokens de portador a uma lista mantida em um arquivo de token estático. O arquivo de token armazena segredos em texto simples e é de natureza estática. A autenticação baseada em tokens estáticos é suscetível a ataques de força bruta e pode vazar credenciais de acesso para invasores em um ambiente mal configurado. Para adicionar, substituir ou revogar um token, você deve reiniciar o servidor API.

Exemplo 1: Usando o sinalizador --token-auth-file, a configuração a seguir inicia um servidor da API Kubernetes que autentica solicitações por tokens estáticos.


...
spec:
  containers:
  - command:
    - kube-apiserver
    ...
    - --token-auth-file=<filename>
    ...

References

[1] Static Token File The Kubernetes Authors

[2] Standards Mapping - CIS Kubernetes Benchmark Recommendation 1.2.2

[3] Standards Mapping - Common Weakness Enumeration CWE ID 552

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001958

[5] Standards Mapping - FIPS200 CM

[6] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-3 Device Identification and Authentication (P1), IA-8 Identification and Authentication (Non-Organizational Users) (P1)

[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-3 Device Identification and Authentication, IA-8 Identification and Authentication (Non-Organizational Users)

[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 1.9.1 Communications Architectural Requirements (L2 L3), 2.2.5 General Authenticator Requirements (L3), 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.3.1 Sensitive Private Data (L1 L2 L3), 8.1.6 General Data Protection (L3), 9.1.1 Communications Security Requirements (L1 L2 L3), 9.2.2 Server Communications Security Requirements (L2 L3), 14.4.5 HTTP Security Headers Requirements (L1 L2 L3)

[11] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication

[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[13] Standards Mapping - OWASP Top 10 2007 A7 Broken Authentication and Session Management

[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.7

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.10

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.10

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.10

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.10

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3260.1 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3260 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3260 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3260 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3260 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3260 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3260 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001650 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001650 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001650 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001650 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001650 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001650 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001650 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001650 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001650 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001650 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001650 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001650 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001650 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001650 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001650 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-001650 CAT II

[52] Standards Mapping - Web Application Security Consortium Version 2.00 Server Misconfiguration (WASC-14)

desc.structural.yaml.kubernetes_misconfiguration_static_authentication_token.base

Kubernetes Misconfiguration: Unbound Controller Manager

YAML

Abstract

Um gerenciador de controlador Kubernetes aceita conexões externas.

Explanation

O gerenciador do controlador Kubernetes monitora o estado de um cluster e, se necessário, pode fazer alterações em quaisquer recursos gerenciados pelo cluster. Por padrão, um gerenciador de controlador aceita solicitações de conexões externas. A partir de uma conexão externa, um invasor pode obter acesso a APIs sensíveis à segurança, mas insuficientemente protegidas.

Exemplo 1: A configuração a seguir inicia um gerenciador de controlador Kubernetes sem um endereço de vinculação.


...
spec:
  containers:
  - command:
    - kube-controller-manager
    - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf
    - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf
    image: example.domain/kube-controller-manager:v1.9.7
    imagePullPolicy: IfNotPresent
    ...

References

[1] Kubernetes controller manager The Kubernetes Authors

[2] Standards Mapping - CIS Kubernetes Benchmark Recommendation 1.3.7

[3] Standards Mapping - Common Weakness Enumeration CWE ID 20

[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020

[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020

[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020

[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020

[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020

[9] Standards Mapping - FIPS200 CM

[10] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[11] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)

[13] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[14] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[15] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[29] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020

[30] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.structural.yaml.kubernetes_misconfiguration_unbound_controller_manager

Kubernetes Misconfiguration: Unbound Scheduler

YAML

Abstract

Um Agendador do Kubernetes aceita conexões externas.

Explanation

O agendador do Kubernetes determina onde os pods são executados. Por padrão, um agendador aceita solicitações de conexões externas. A partir de uma conexão externa, um invasor pode acessar APIs com proteção insuficiente e sensíveis à segurança.

Exemplo 1: A configuração a seguir inicia um Agendador Kubernetes sem um endereço de vinculação.


...
spec:
  containers:
    - command:
      - kube-scheduler
    image: example.domain/kube-scheduler:v1.5.2
    imagePullPolicy: IfNotPresent
    ...

References

[1] Kubernetes Scheduler The Kubernetes Authors

[2] Standards Mapping - CIS Kubernetes Benchmark Recommendation 1.4.2

[3] Standards Mapping - Common Weakness Enumeration CWE ID 20

[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [3] CWE ID 020

[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [3] CWE ID 020

[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [4] CWE ID 020

[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [4] CWE ID 020

[8] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020

[9] Standards Mapping - FIPS200 CM

[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.1.3 Input Validation Requirements (L1 L2 L3), 5.1.4 Input Validation Requirements (L1 L2 L3)

[12] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[14] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[15] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[16] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[25] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection

[28] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 020

[29] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.structural.yaml.kubernetes_misconfiguration_unbound_scheduler

Kubernetes Misconfiguration: Unconfigured API Server Logging

YAML

Abstract

Um servidor da API Kubernetes é iniciado sem definir uma política para registrar eventos de auditoria.

Explanation

Um servidor da API Kubernetes não registra eventos se não houver um arquivo de política de auditoria especificado. Os logs de eventos contêm dados valiosos usados para identificar incidentes de segurança, monitorar violações de políticas e auxiliar nos controles de não repúdio.

Exemplo 1: A configuração a seguir inicia um servidor da API Kubernetes sem o sinalizador --audit-policy-file.


...
spec:
  containers:
  - command:
    - kube-apiserver
    - --audit-log-path=<the log file path>
  image: example.domain/kube-apiserver-amd64:v1.6.0
  ...

References

[1] Audit Policy The Kubernetes Authors

[2] Standards Mapping - CIS Kubernetes Benchmark Recommendation 3.2.1

[3] Standards Mapping - Common Weakness Enumeration CWE ID 778

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000172

[5] Standards Mapping - FIPS200 CM

[6] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data

[7] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-12 Audit Generation (P1)

[8] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-12 Audit Record Generation

[9] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[10] Standards Mapping - OWASP Application Security Verification Standard 4.0 7.1.3 Log Content Requirements (L2 L3), 7.1.4 Log Content Requirements (L2 L3), 7.2.1 Log Processing Requirements (L2 L3), 7.2.2 Log Processing Requirements (L2 L3)

[11] Standards Mapping - OWASP Mobile 2014 M1 Weak Server Side Controls

[12] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[13] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[14] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[15] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration, A10 Insufficient Logging and Monitoring

[16] Standards Mapping - OWASP Top 10 2021 A09 Security Logging and Monitoring Failures

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10, Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 10.2.1, Requirement 10.2.4, Requirement 10.3.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 10.2.1, Requirement 10.2.1.4, Requirement 10.2.2

[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 8.2 - Activity Tracking

[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 8.2 - Activity Tracking

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 8.2 - Activity Tracking

[29] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3680.4 CAT II, APP3680.5 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3680.4 CAT II, APP3680.5 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3680.4 CAT II, APP3680.5 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3680.4 CAT II, APP3680.5 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3680.4 CAT II, APP3680.5 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3680.4 CAT II, APP3680.5 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3680.4 CAT II, APP3680.5 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000830 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000830 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000830 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000830 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000830 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000830 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000830 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000830 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000830 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000830 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000830 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000830 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000830 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000830 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000830 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000830 CAT II

[52] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)

desc.structural.yaml.kubernetes_misconfiguration_unconfigured_api_server_logging.base

Kubernetes Misconfiguration: Uncontrolled Kubelet Resource Consumption

YAML

Abstract

Uma configuração permite o consumo ilimitado de recursos.

Explanation

Os recursos computacionais faturáveis incluem, mas não se limitam ao uso da CPU, memória, armazenamento persistente e conexões de rede. Na ausência de limites de utilização de recursos, os invasores podem causar uma negação de serviço que consome todos os recursos disponíveis ou incorrer em contas exorbitantes.

References

[1] Standards Mapping - CIS Kubernetes Benchmark Recommendation 4.2.13

[2] Standards Mapping - Common Weakness Enumeration CWE ID 770

[3] Standards Mapping - Common Weakness Enumeration Top 25 2024 [24] CWE ID 400

[4] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001094

[5] Standards Mapping - NIST Special Publication 800-53 Revision 4 SC-5 Denial of Service Protection (P1)

[6] Standards Mapping - NIST Special Publication 800-53 Revision 5 SC-5 Denial of Service Protection

[7] Standards Mapping - OWASP API 2023 API4 Unrestricted Resource Consumption, API8 Security Misconfiguration

[8] Standards Mapping - OWASP Top 10 2004 A9 Application Denial of Service

[9] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[10] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[11] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[12] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration

[13] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.9

[14] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.6

[15] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.6

[16] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.6

[17] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.6

[18] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[20] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 4.2 - Critical Asset Protection

[21] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 4.2 - Critical Asset Protection

[22] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 4.2 - Critical Asset Protection, Control Objective C.3.3 - Web Software Attack Mitigation

[23] Standards Mapping - SANS Top 25 2009 Risky Resource Management - CWE ID 404

[24] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP6080 CAT II

[25] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP6080 CAT II

[26] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP6080 CAT II

[27] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6080 CAT II

[28] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6080 CAT II

[29] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6080 CAT II

[30] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6080 CAT II

[31] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002400 CAT II

[32] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002400 CAT II

[33] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002400 CAT II

[34] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002400 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002400 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002400 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002400 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002400 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002400 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002400 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002400 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002400 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002400 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002400 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002400 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002400 CAT II

[47] Standards Mapping - Web Application Security Consortium Version 2.00 Denial of Service (WASC-10)

[48] Standards Mapping - Web Application Security Consortium 24 + 2 Denial of Service

desc.structural.iac.misconfiguration_uncontrolled_resource_consumption.base

Kubernetes Misconfiguration: Weak etcd SSL Certificate

YAML

Abstract

Uma instância etcd aceita conexões TLS de clientes que usam certificados autoassinados.

Explanation

O Kubernetes mantém dados confidenciais em um cluster etcd. Portanto, cada instância do etcd deve aceitar apenas conexões de clientes autenticados e autorizados e rejeitar qualquer cliente que use um certificado autoassinado para conexões TLS.

Exemplo 1: A configuração a seguir inicia uma instância etcd e define o sinalizador --auto-tls como true. Como resultado, a instância etcd usa certificados autoassinados para conexões TLS com clientes.


...
spec:
  containers:
  - command:
...
    - etcd
    ...
    - --auto-tls=true
    ...

References

[1] Operating etcd clusters for Kubernetes The Kubernetes Authors

[2] etcd configuration etcd Authors

[3] Standards Mapping - CIS Kubernetes Benchmark Recommendation 2.3

[4] Standards Mapping - Common Weakness Enumeration CWE ID 296

[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [13] CWE ID 287, [25] CWE ID 295

[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [14] CWE ID 287

[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [14] CWE ID 287

[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [14] CWE ID 287

[9] Standards Mapping - Common Weakness Enumeration Top 25 2024 [14] CWE ID 287

[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000166, CCI-000185, CCI-001941, CCI-001942

[11] Standards Mapping - FIPS200 CM

[12] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[13] Standards Mapping - NIST Special Publication 800-53 Revision 4 AU-10 Non-Repudiation (P2), IA-2 Identification and Authentication (Organizational Users) (P1), IA-5 Authenticator Management (P1), SC-17 Public Key Infrastructure Certificates (P1)

[14] Standards Mapping - NIST Special Publication 800-53 Revision 5 AU-10 Non-Repudiation, IA-2 Identification and Authentication (Organizational Users), IA-5 Authenticator Management, SC-17 Public Key Infrastructure Certificates

[15] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 2.7.1 Out of Band Verifier Requirements (L1 L2 L3), 2.7.2 Out of Band Verifier Requirements (L1 L2 L3), 2.7.3 Out of Band Verifier Requirements (L1 L2 L3), 2.8.4 Single or Multi Factor One Time Verifier Requirements (L2 L3), 2.8.5 Single or Multi Factor One Time Verifier Requirements (L2 L3), 3.7.1 Defenses Against Session Management Exploits (L1 L2 L3), 6.2.1 Algorithms (L1 L2 L3), 9.2.1 Server Communications Security Requirements (L2 L3), 9.2.3 Server Communications Security Requirements (L2 L3)

[17] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[18] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[19] Standards Mapping - OWASP Top 10 2010 A6 Security Misconfiguration

[20] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[21] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[22] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.10

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.9

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.4

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.4

[29] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.4

[30] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4

[31] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4

[32] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 7.1 - Use of Cryptography

[33] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[34] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 7.1 - Use of Cryptography, Control Objective B.2.3 - Terminal Software Design

[35] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3305 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3305 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3305 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3305 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3305 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3305 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3305 CAT I

[42] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[43] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[44] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[45] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[46] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[47] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[48] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[49] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[50] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[51] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[52] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[53] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[54] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[55] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[56] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[57] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000590 CAT II, APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-001810 CAT I

[58] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15), Insufficient Authentication (WASC-01)

[59] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authentication

desc.structural.yaml.kubernetes_misconfiguration_weak_etcd_ssl_certificate.base

Kubernetes Misconfiguration: Weak SSL Certificate for Kubelet

YAML

Abstract

O Kubelet usa um certificado autoassinado para conexões TLS na ausência de uma definição de certificado x509.

Explanation

Os campos tlsCertFile e tlsPrivateKeyFile em uma configuração do Kubelet definem o certificado x509 usado para servir HTTPS. Se os dois não forem fornecidos, um certificado e uma chave autoassinados serão gerados para o endereço público, que é suscetível a um ataque man-in-the-middle.

Exemplo 1: A configuração do Kubelet a seguir não especifica os campos tlsCertFile e tlsPrivateKeyFile para que o Kubelet gere automaticamente um certificado autoassinado para conexões TLS.


apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration

References

[1] Set Kubelet parameters via a config file The Kubernetes Authors

[2] Kubelet The Kubernetes Authors

[3] Standards Mapping - CIS Kubernetes Benchmark Recommendation 4.2.9

[4] Standards Mapping - Common Weakness Enumeration CWE ID 311

[5] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000068, CCI-000166, CCI-001453, CCI-002418, CCI-002420, CCI-002421, CCI-002422, CCI-002890, CCI-003123

[6] Standards Mapping - FIPS200 CM, SC

[7] Standards Mapping - General Data Protection Regulation (GDPR) Insufficient Data Protection

[8] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-17 Remote Access (P1), AU-10 Non-Repudiation (P2), MA-4 Nonlocal Maintenance (P2), SC-8 Transmission Confidentiality and Integrity (P1)

[9] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-17 Remote Access, AU-10 Non-Repudiation, MA-4 Nonlocal Maintenance, SC-8 Transmission Confidentiality and Integrity

[10] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[11] Standards Mapping - OWASP Application Security Verification Standard 4.0 2.6.3 Look-up Secret Verifier Requirements (L2 L3), 6.2.1 Algorithms (L1 L2 L3), 8.1.6 General Data Protection (L3)

[12] Standards Mapping - OWASP Mobile 2014 M3 Insufficient Transport Layer Protection

[13] Standards Mapping - OWASP Top 10 2004 A10 Insecure Configuration Management

[14] Standards Mapping - OWASP Top 10 2007 A9 Insecure Communications

[15] Standards Mapping - OWASP Top 10 2010 A9 Insufficient Transport Layer Protection

[16] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration

[17] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration

[18] Standards Mapping - OWASP Top 10 2021 A02 Cryptographic Failures

[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 4.1, Requirement 6.5.10

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 4.1, Requirement 6.3.1.4, Requirement 6.5.9

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 4.1, Requirement 6.5.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 4.1, Requirement 6.5.4

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 4.1, Requirement 6.5.4

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 4.1, Requirement 6.5.4

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 4.1, Requirement 6.5.4

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 4.2.1, Requirement 6.2.4

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 4.2.1, Requirement 6.2.4

[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 6.2 - Sensitive Data Protection, Control Objective 7 - Use of Cryptography, Control Objective C.4.1 - Web Software Communications

[31] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 319

[32] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 311

[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 311

[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260.1 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3250.1 CAT I, APP3250.2 CAT I, APP3250.3 CAT II, APP3250.4 CAT II, APP3260 CAT II

[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-000590 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-000590 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000160 CAT II, APSC-DV-000170 CAT II, APSC-DV-000590 CAT II, APSC-DV-001940 CAT II, APSC-DV-001950 CAT II, APSC-DV-002440 CAT I, APSC-DV-002450 CAT II, APSC-DV-002460 CAT II, APSC-DV-002470 CAT II

[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Transport Layer Protection (WASC-04)

[58] Standards Mapping - Web Application Security Consortium 24 + 2 Information Leakage

desc.structural.yaml.kubernetes_misconfiguration_weak_ssl_certificate_for_kubelet

Kubernetes Terraform Misconfiguration: Improper DaemonSet Access Control

Abstract

Uma configuração não aplica controles de acesso adequados.

Explanation

O acesso descontrolado a recursos críticos ou confidenciais pode afetar significativamente uma organização de várias maneiras, incluindo a divulgação ou adulteração de dados críticos.

References

[1] Open Web Application Security Project (OWASP) Authorization Cheat Sheet

[2] Standards Mapping - CIS Kubernetes Benchmark Recommendation 5.1.5

[3] Standards Mapping - Common Weakness Enumeration CWE ID 284

[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [25] CWE ID 862

[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [18] CWE ID 862

[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [16] CWE ID 862

[7] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-000213, CCI-001084, CCI-002165

[8] Standards Mapping - FIPS200 AC

[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation

[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 AC-3 Access Enforcement (P1), AC-6 Least Privilege (P1), SC-3 Security Function Isolation (P1)

[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 AC-3 Access Enforcement, AC-6 Least Privilege, SC-3 Security Function Isolation

[12] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration

[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 4.1.3 General Access Control Design (L1 L2 L3)

[14] Standards Mapping - OWASP Top 10 2004 A2 Broken Access Control

[15] Standards Mapping - OWASP Top 10 2007 A4 Insecure Direct Object Reference

[16] Standards Mapping - OWASP Top 10 2010 A4 Insecure Direct Object References

[17] Standards Mapping - OWASP Top 10 2013 A4 Insecure Direct Object References

[18] Standards Mapping - OWASP Top 10 2017 A5 Broken Access Control

[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control

[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 Requirement 6.5.2

[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.4

[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.8

[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.8

[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.8

[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.8

[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.8

[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4, Requirement 1.4.2

[28] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.2.4, Requirement 1.4.2

[29] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control

[30] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control

[31] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls

[32] Standards Mapping - SANS Top 25 2010 Porous Defenses - CWE ID 863

[33] Standards Mapping - SANS Top 25 2011 Porous Defenses - CWE ID 863

[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3480.1 CAT II

[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3480.1 CAT I

[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3480.1 CAT I

[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3480.1 CAT I

[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3480.1 CAT I

[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3480.1 CAT I

[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3480.1 CAT I

[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[56] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-000460 CAT I, APSC-DV-000470 CAT II, APSC-DV-002360 CAT II

[57] Standards Mapping - Web Application Security Consortium Version 2.00 Insufficient Authorization (WASC-02)

[58] Standards Mapping - Web Application Security Consortium 24 + 2 Insufficient Authorization

desc.structural.iac.misconfiguration_improper_access_control.base

Kubernetes Terraform Misconfiguration: Improper Deployment Access Control