Summary
Tenable discovered a privilege escalation vulnerability in Google Cloud Platform's Cloud Composer service, dubbed ConfusedComposer. It allowed users with composer.environments.update permission to escalate privileges to the default Cloud Build service account by injecting malicious PyPI packages. This could grant broad permissions across the victim's GCP project.
Affected Services
Cloud Composer, Cloud Build
Remediation
Update existing Cloud Composer instances by April 2025 to use the new behavior that utilizes the Composer environment service account instead of the Cloud Build service account.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/korniko98
Entry Status
Stub (AI-Generated)
Disclosure Date
-
Exploitablity Period
Until April 2025
Known ITW Exploitation
-
Detection Methods
Monitor for unexpected PyPI package installations or updates in Cloud Composer environments. Review Cloud Build logs for suspicious activity related to package installations.
Piercing Index Rating
-
Discovered by
Liv Matan, Tenable Research
