XSS in Google Cloud Theia notebooks
Published Sun, Jan 15th, 2023
Platforms
Summary
This vulnerability chain exploits a Cross-Site Scripting (XSS) flaw (CVE-2021-41038) within the Theia IDE used in Google Vertex AI Workbench. An attacker could inject malicious JavaScript code into the Theia IDE. This code could then be used to steal the OAuth token associated with the project's default Compute Engine service account, because when a user-managed Vertex AI Workbench instance is created, it utilizes the project's default Compute Engine service account. At the time, this default service account had the Editor Role assigned by default.
Affected Services
Cloud Vertex AI Workbench
Remediation
None, as the Theia IDE is no longer offered as a Vertex AI experimental image.
Tracked CVEs
CVE-2021-41038
References
Contributed by https://github.com/KatTraxler
Entry Status
Finalized
Disclosure Date
Sat, Jan 1st, 2022
Exploitability Period
-
Known ITW Exploitation
-
Detection Methods
None
Piercing Index Rating
-
Discovered by
Sivanesh Ashok, Sreeram KL