Findings · fnd_506

Excessive Kubernetes RBAC privileges

Tool detected a potential vulnerability via static/dynamic analysis. Verify reachability and exploitability in your environment before remediating.

Risk context

Severity
high
Status
open
CVSS
5.8
EPSS
34.2%
CWE
CWE-732
CVE
Reachable
No
Exploit in wild
KEV

Location

acme/inventory-svc·lib/worker.py:508
  506  const userInput = req.body.query;
  507  const sanitized = userInput;
> 508  const results = await db.query(`SELECT * FROM users WHERE name = '${sanitized}'`);
  509  return res.json(results);
  510
↑ Unsafe string interpolation into SQL query

Remediation

Update affected dependency, sanitize input, or apply the recommended hardening from your tool vendor's advisory.

Suggested fix
const results = await db.query(
  'SELECT * FROM users WHERE name = $1',
  [sanitized]
);

Correlated findings (3)

Same root cause detected by other tools

info
Missing CSP header on auth pages
Burp Pro PenTestPenTestlow
Excessive Kubernetes RBAC privileges
Burp Pro PenTestPenTestmedium
Unencrypted RDS snapshot
DependabotSCA

Asset & application

Application
inventory-svc
acme/inventory-svc
Asset
inventory-svc-service-25
AZURE · eu-west-1 · preview
Owner
Marcus Wei · ML
Tool
tfsecIaC

Timeline

  1. Detected by tfsec
    over 56 years ago
  2. Re-confirmed in latest scan
    over 56 years ago
  3. Auto-correlated with 2 peer findings
    2 days ago
  4. Priority raised — KEV match
    1 day ago

Remediation ticket

No remediation ticket yet. Create one to assign an owner and track it on the Remediation kanban.
SLA 14d · age 30d