Google Cloud Shell command injection

Published Wed, Aug 10th, 2022


A vulnerability was discovered in Cloud Shell that enabled command injection and remote shell access. By manipulating the "project" parameter, an attacker could have cause an unencoded Python script execution flaw. Exploiting this flaw, they could inject a command to display the contents of the "/etc/passwd" file, successfully execute arbitrary commands and obtain remote shell access. However, the impact of this is unclear, as an attacker would seemingly only be able to gain such a remote shell on their own instance.

Affected Services

Google Cloud Shell


None required

Tracked CVEs

No tracked CVEs


Disclosure Date
Fri, Jan 28th, 2022
Exploitablity Period
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Bugra Eskici