high

Google App Engine RCE Worth $36k

Published Sat, Aug 31st, 2019

Platforms

gcp

Summary

Researcher discovered access to non-production Google App Engine environments and internal APIs. This allowed configuring internal settings like Service Account IDs and quotas. Google considered it RCE due to their infrastructure. Access was blocked and a $36,337 reward issued.

Affected Services

App Engine

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://www.ezequiel.tech/p/36k-google-app-engine-rce.html

Contributed by https://github.com/korniko98

Entry Status

Stub (AI-Generated)

Disclosure Date

Sun, Feb 25th, 2018

Exploitability Period

Until 2018/03/13

Known ITW Exploitation

-

Detection Methods

Monitor for unexpected access attempts to non-production App Engine environments. Review App Engine configuration changes, especially around Service Accounts and quotas.

Piercing Index Rating

-

Discovered by

Ezequiel Pereira

More vulnerabilities...

high

Lake Formation data lake admin override

aws

Shortly after Lake Formation was made generally available, a bug was discovered that gave anyone the ability to view and override data lake admins for any account (an attacker would have only neede...

Ian Mckay
medium

AWS IAM role credential exfiltration via EC2 Instance Metadata Service (IMDSv1)

aws

AWS offers a metadata service accessible to most EC2 Instances via a simple GET request to 169.254.169.254. If an instance has an SSRF vulnerability, attackers can access the metadata service & exf...

high

IAM privilege escalation via undocumented CodeStar API

aws

The AWS CodeStar service had an undocumented API (codestar:CreateProjectFromTemplate) that allowed users with broadly-scoped CodeStar permissions to create a CodeStar project. As part of the creati...

Spencer Gietzen, Rhino Secu...
View all