high

CloudImposer

Published Mon, Sep 16th, 2024

Platforms

Summary

Google Cloud Composer is a managed service for Apache Airflow. Tenable discovered that the Cloud Composer package was vulnerable to dependency confusion, which could have allowed attackers to inject malicious code when the package was compiled from source. This could have led to remote code execution on machines running Cloud Composer, which include various other GCP services as well as internal servers at Google. The dependency confusion stemmed from Google's risky recommendation in their documentation to use the --extra-index-url argument when installing private Python packages. Following disclosure, Google fixed the dependency confusion vulnerability and also updated their documentation.

Affected Services

Google Cloud Composer, App Engine, Cloud Functions

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://www.tenable.com/blog/cloudimposer-executing-code-on-millions-of-google-servers-with-a-single-malicious-package

Contributed by https://github.com/mer-b

Entry Status

Finalized

Disclosure Date

Exploitability Period

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

Liv Matan, Tenable

More vulnerabilities...

high

Escalating from Reader to Contributor in Azure API Management

A vulnerability in Azure API Management allowed users with Reader access to escalate privileges to Contributor level by accessing admin user keys via the ARM API. This permitted full management cap...

Christian Håland, Binary Se...Sep 13, 2024

high

Security Flaw in AWS Transit Gateway Peering Attachments

A security flaw in AWS Transit Gateway Peering attachments allowed unauthorized acceptance of peering requests between regions. The exploit bypassed the approval step, granting potential unauthoriz...

James Sheard, DoiTSep 12, 2024

Copilot Studio information disclosure via SSRF

TenableAug 20, 2024

View all