You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ScoutSuite's 'Key Vault Role Based Access Control Disabled' rule fails to flag certain Key Vaults that are using the Vault access policy permission model.
The problem is caused because the enableRbacAuthorization field can be true, false, or null, while ScoutSuite does not handle the null case appropriately.
The code sets the rbac_authorization_enabled flag to None if the API returns null:
Describe the bug
ScoutSuite's 'Key Vault Role Based Access Control Disabled' rule fails to flag certain Key Vaults that are using the Vault access policy permission model.
The problem is caused because the
enableRbacAuthorization
field can betrue
,false
, ornull
, while ScoutSuite does not handle thenull
case appropriately.The code sets the
rbac_authorization_enabled
flag toNone
if the API returnsnull
:However, the rule matches for
false
only:To Reproduce
Prepare environment: Create a Key Vault via the
az
CLI utility as follows:This sets
enableRbacAuthorization = null
:The resulting Key Vault uses Vault access policy as its permission model, as can be seen in the following screenshot:
Execute ScoutSuite: Run ScoutSuite with the default parameters:
The results do not flag the key vault
'key-vault-2fg28f22'
:Additional context
n/a
The text was updated successfully, but these errors were encountered: