high

Google Cloud Data Fusion GitHub Actions Vulnerabilities

Published Thu, Sep 26th, 2024

Platforms

Summary

Multiple "pwn request" vulnerabilities were discovered in Google Cloud Data Fusion, which is based on open-source CDAP code. These vulnerabilities affect GitHub Actions and allow for remote code execution (RCE) and compromise of build artifacts. The issues potentially impact both the Google Cloud platform and GitHub's CI/CD infrastructure.

Affected Services

Cloud Data Fusion

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://bughunters.google.com/reports/vrp/M3Pjk25Sn

Contributed by https://github.com/korniko98

Entry Status

Stub (AI-Generated)

Disclosure Date

Fri, Aug 9th, 2024

Exploitablity Period

Known ITW Exploitation

Detection Methods

Monitor GitHub Actions logs for suspicious activity. Review build artifacts for unexpected changes or injections. Implement security scanning for GitHub Actions workflows, especially those interacting with Google Cloud Data Fusion.

Piercing Index Rating

Discovered by

Google Bug Hunters

More vulnerabilities...

medium

Document AI data exfiltration

The Document AI service unintentionally allows users to read any Cloud Storage object in the same project, in a way that isn't properly documented. The Document AI service agent is auto-assigned wi...

Kat Traxler, Vectra AI

Mon, Sep 16th, 2024

high

CloudImposer

Google Cloud Composer is a managed service for Apache Airflow. Tenable discovered that the Cloud Composer package was vulnerable to dependency confusion, which could have allowed attackers to injec...

Liv Matan, Tenable

Mon, Sep 16th, 2024

high

Escalating from Reader to Contributor in Azure API Management

A vulnerability in Azure API Management allowed users with Reader access to escalate privileges to Contributor level by accessing admin user keys via the ARM API. This permitted full management cap...

Christian Håland, Binary Se...

Fri, Sep 13th, 2024

View all