high

CloudImposer

Published Mon, Sep 16th, 2024

Platforms

Summary

Google Cloud Composer is a managed service for Apache Airflow. Tenable discovered that the Cloud Composer package was vulnerable to dependency confusion, which could have allowed attackers to inject malicious code when the package was compiled from source. This could have led to remote code execution on machines running Cloud Composer, which include various other GCP services as well as internal servers at Google. The dependency confusion stemmed from Google's risky recommendation in their documentation to use the --extra-index-url argument when installing private Python packages. Following disclosure, Google fixed the dependency confusion vulnerability and also updated their documentation.

Affected Services

Google Cloud Composer, App Engine, Cloud Functions

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://www.tenable.com/blog/cloudimposer-executing-code-on-millions-of-google-servers-with-a-single-malicious-package

Contributed by https://github.com/mer-b

Entry Status

Finalized

Disclosure Date

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Liv Matan, Tenable

More vulnerabilities...

Copilot Studio information disclosure via SSRF

Tenable

Tue, Aug 20th, 2024

Azue Health privilege escalation via SSRF

Tenable

Tue, Aug 13th, 2024

low

GCP HMAC Keys are not discoverable or revokable other than for self

GCP administrators face challenges in managing HMAC keys within their organizations, lacking visibility into which user accounts have generated these keys and whether they are actively being used...

Kat Traxler, Vectra AI

Mon, Jun 17th, 2024

View all