high

XSS in Google Cloud Theia notebooks

Published Sun, Jan 15th, 2023
Platforms

Summary

This vulnerability chain exploits a Cross-Site Scripting (XSS) flaw (CVE-2021-41038) within the Theia IDE used in Google Vertex AI Workbench. An attacker could inject malicious JavaScript code into the Theia IDE. This code could then be used to steal the OAuth token associated with the project's default Compute Engine service account, because when a user-managed Vertex AI Workbench instance is created, it utilizes the project's default Compute Engine service account. At the time, this default service account had the Editor Role assigned by default.

Affected Services

Cloud Vertex AI Workbench

Remediation

None, as the Theia IDE is no longer offered as a Vertex AI experimental image.

Tracked CVEs

CVE-2021-41038

References

Contributed by https://github.com/KatTraxler
Entry Status
Finalized
Disclosure Date
Sat, Jan 1st, 2022
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Sivanesh Ashok, Sreeram KL

More vulnerabilities...

high

Bypassing authorization in Google Cloud Workstations

Several vulnerabilities were present in how Google Cloud Shell (ssh.cloud.google.com) handled OAuth credentials. These included an open-redirect vulnerability, where attackers could redirect users ...

...
Sivanesh Ashok, Sreeram KL

high

SSH key injection in Google Cloud Compute Engine

Google Cloud Compute Engine (GCE) was vulnerable to SSH key injection by abusing an SSH-in-browser feature to change username and password. An attacker could send a specially-crafted link to a targ...

...
Sivanesh Ashok

high

Client-Side SSRF to Google Cloud Project Takeover

A vulnerability in Vertex AI Workbench allowed attackers to take over victims' Google Cloud projects through client-side SSRF. The initial bug involved unauthorized access to authentication tokens,...

...
Sivanesh Ashok, Sreeram KL

View all