Security News > 2023 > July > Google Cloud shores up log permissions for builder bot

Google Cloud shores up log permissions for builder bot
2023-07-24 04:08

Infosec in brief A security weakness in Google Cloud Build could have allowed attackers to tamper with organizations' code repositories and application images, according to Orca Security researchers.

The issue, as Google describes it, is more about poorly defined permissions.

Cloud Build, as an automation service, uses service accounts to authenticate requests made during a build.

As Orca researchers discovered, if someone enables the Cloud Build API in a project, the product automatically creates a default service account to execute builds.

"We appreciate the work of the researchers and have incorporated a fix based on their report as outlined in a security bulletin issued in early June," Google told us.

"It's important that organizations pay close attention to the behavior of the default Google Cloud Build service account," Nisimi said, adding that applying the principle of least privilege is vital to reducing an organization's risk.


News URL

https://go.theregister.com/feed/www.theregister.com/2023/07/24/infosec_in_brief/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Google 102 256 4320 4678 741 9995