medium

GCP IAP bypass

Published Fri, Sep 17th, 2021

Platforms

Summary

Convincing a victim to click a specially crafted link would allow the attacker to bypass the Identity-Aware Proxy (a core component of BeyondCorp).

Affected Services

N/A

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://cloud.google.com/support/bulletins

Contributed by https://github.com/0xdabbad00

Entry Status

Finalized

Disclosure Date

Fri, Sep 17th, 2021

Exploitability Period

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

Unknown

More vulnerabilities...

medium

Azure privilege escalation via Log Analytics role

Azure AD users could escalate their privileges using the Log Analytics Contributor role to reach the full Subscription Contributor role.

Karl Fosaaen, NetSPISep 13, 2021

medium

Org policies bypass

Allows an attacker with privileges in the account to share resources outside of the account even when an org policy restricts this, thus enabling them to backdoor their access.

Kat TraxlerSep 10, 2021

critical

Azurescape

Cross-account container escape

Yuval Avrahami, Palo AltoSep 9, 2021

View all