StaticSite has Broken Access Control vulnerability
OWASP classification
A01:2021 — Broken Access Control: failure to enforce least-privilege, granting broader permissions than necessary.
CVSS 3.1
Score: 3.5 (Low)
| Metric |
Value |
Rationale |
| Attack Vector |
Network |
Exploitable remotely |
| Attack Complexity |
High |
Requires discovering bucket name + setting up CloudFront with OAC |
| Privileges Required |
Low |
Requires an AWS account |
| User Interaction |
None |
No victim interaction needed |
| Scope |
Unchanged |
Confined to the S3 bucket |
| Confidentiality |
Low |
Read-only access to public website content |
| Integrity |
None |
No write/modify/delete |
| Availability |
None |
No impact on service |
Vector string: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Details have been shared privately with the core team.
StaticSitehas Broken Access Control vulnerabilityOWASP classification
A01:2021 — Broken Access Control: failure to enforce least-privilege, granting broader permissions than necessary.
CVSS 3.1
Score: 3.5 (Low)
Vector string:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N