The severity is CRITICAL because the incident could have led to significant data breaches or system compromises due to misconfigured permissions, and similar vulnerabilities can exist in other organizations with automated provisioning systems.
Automated provisioning based on job title in Workday to Entra resulted in an intern being granted global admin access due to a job code error, leading to potential unauthorized access and deployment in production environments.
Affected Systems
- Workday
- Entra (formerly Azure AD)
Affected Versions: All versions using job title-based automatic provisioning without validation
Remediation
- Implement additional validation checks for job titles used to provision access, such as requiring a manual review of new hires with elevated roles.
- Update the automated provisioning scripts to flag and alert on unexpected role assignments (e.g., from Intern to Senior Engineer).
- Review and update all access control policies to ensure they are aligned with least privilege principles.
Stack Impact
Does not directly affect nginx, docker, linux kernel, openssh, curl, openssl, python, or homelab components. However, it impacts cloud services like Azure subscriptions.