high

CloudImposer

Published Mon, Sep 16th, 2024

Platforms

Summary

Google Cloud Composer is a managed service for Apache Airflow. Tenable discovered that the Cloud Composer package was vulnerable to dependency confusion, which could have allowed attackers to inject malicious code when the package was compiled from source. This could have led to remote code execution on machines running Cloud Composer, which include various other GCP services as well as internal servers at Google. The dependency confusion stemmed from Google's risky recommendation in their documentation to use the --extra-index-url argument when installing private Python packages. Following disclosure, Google fixed the dependency confusion vulnerability and also updated their documentation.

Affected Services

Google Cloud Composer, App Engine, Cloud Functions

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://www.tenable.com/blog/cloudimposer-executing-code-on-millions-of-google-servers-with-a-single-malicious-package

Contributed by https://github.com/mer-b

Entry Status

Finalized

Disclosure Date

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Liv Matan, Tenable

More vulnerabilities...

Copilot Studio information disclosure via SSRF

Tenable

Tue, Aug 20th, 2024

Azue Health privilege escalation via SSRF

Tenable

Tue, Aug 13th, 2024

high

Unauthorized Access to AWS Account Findings in Microsoft Defender for Cloud

Microsoft Defender for Cloud at one point provided customers with a flawed configuration template through their public GitHub repository. This template creates resources in the customer's AWS accou...

Brandon Evans, Eric Johnson

Mon, Jul 15th, 2024

View all