Create ServiceAccount Tokens
Spoofing
Critical
Overview
| Field | Value |
|---|---|
| ID | 1047 |
| Name | Create ServiceAccount Tokens |
| Risk Category | Spoofing |
| Risk Level | Critical |
| Role Type | Role |
| API Groups | authentication.k8s.io |
| Resources | serviceaccounts/token |
| Verbs | create |
| Tags | CredentialAccess Impersonation PotentialPrivilegeEscalation Spoofing TokenCreation |
Description
Allows creating tokens for ServiceAccounts within a specific namespace. If a ServiceAccount has powerful permissions, creating a token for it allows impersonating that ServiceAccount, leading to potential privilege escalation, credential access, and spoofing.