medium

Google Cloud Shell command injection

Published Wed, Aug 10th, 2022
Platforms

Summary

A vulnerability was discovered in Cloud Shell that enabled command injection and remote shell access. By manipulating the "project" parameter, an attacker could have cause an unencoded Python script execution flaw. Exploiting this flaw, they could inject a command to display the contents of the "/etc/passwd" file, successfully execute arbitrary commands and obtain remote shell access. However, the impact of this is unclear, as an attacker would seemingly only be able to gain such a remote shell on their own instance.

Affected Services

Google Cloud Shell

Remediation

None required

Tracked CVEs

No tracked CVEs

References

Entry Status
Finalized
Disclosure Date
Fri, Jan 28th, 2022
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Bugra Eskici