Closes #236: Open in Cloud Shell injection (#240)

* Closes #236: Open in Cloud Shell injection * fix image * Update gcp-cloudshell-open-in-command-injection.yaml --------- Co-authored-by: Amitai Cohen <[email protected]>
wiz-sec · Dec 26, 2023 · 76a2ebb · 76a2ebb
1 parent 6b8cb0b
commit 76a2ebb
Showing 1 changed file with 34 additions and 0 deletions.
diff --git a/vulnerabilities/gcp-cloudshell-open-in-command-injection.yaml b/vulnerabilities/gcp-cloudshell-open-in-command-injection.yaml
@@ -0,0 +1,34 @@
+title: "Open In" Google Cloud Shell command injection
+slug: gcp-cloudshell-open-in-command-injection
+cves: null
+affectedPlatforms:
+- GCP
+affectedServices:
+- Google Cloud Shell
+image: https://images.unsplash.com/photo-1541427914209-ef891bee99fd?ixlib=rb-4.0.3&ixid=M3wxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8fA%3D%3D&auto=format&fit=crop&w=3174&q=80
+severity: Medium
+discoveredBy:
+  name: Ademar Nowasky Junior
+  org: null
+  domain: null
+  twitter: nowaskyjr
+publishedAt: 2021/12/28
+disclosedAt: null
+exploitabilityPeriod: Until 2021/01/23
+knownITWExploitation: false
+summary: |
+  A vulnerability was discovered in Cloud Shell that enabled command injection and remote shell access.
+  The "Open in Cloud Shell" functionality allowed a user to provide values for both the "git_repo" and "go_get_repo" parameters,
+  which would clone the target repo in the user's environment. While "git_repo" was validated against a list of trusted repos,
+  "go_get_repo" was not. Therefore, an attacker could have supplied a trusted repository as "git_repo" and
+  an arbitrary command in the "go_get_repo" parameter. The command would then be executed in a trusted environment where it is
+  possible to access the user's home directory and to perform API calls using the user's credentials. However, the impact of this is unclear,
+  as an attacker would seemingly only be able to gain such a remote shell on their own instance. In theory, phishing
+  could be used to try and coerce a user into running a command that exposed their credentials to the attacker.
+  Google mitigated this issue by preventing users from being able to provide both parameters at once.
+manualRemediation: |
+  None required
+detectionMethods: null
+contributor: https://github.com/ramimac
+references:
+- https://docs.google.com/document/d/1-TTCS6fS6kvFUkoJmX4Udr-czQ79lSUVXiWsiAED_bs