Legacy metadata endpoints should not be explicitly enabled
Severity | Exploitability | Providers | Categories |
---|---|---|---|
HIGH | MEDIUM | Google Cloud Provider | DATA |
Description
The v0.1
and v1beta1
Compute Engine metadata server endpoints were deprecated and
shutdown on 2020. They did not enforce metadata query headers.
They are disabled by default.
Impact
Potential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | False | False | False |
Virtual Machine's metadata server could be used to extract credentials and thus access private data.
Remediation guidelines
Disable legacy metadata endpoints, with property disable-legacy-endpoints. Alternatively, simply delete this property because its default value is true.