Google Cloud shores up log permissions for builder bot

2023-07-24 04:08

Infosec in brief A security weakness in Google Cloud Build could have allowed attackers to tamper with organizations' code repositories and application images, according to Orca Security researchers.

The issue, as Google describes it, is more about poorly defined permissions.

Cloud Build, as an automation service, uses service accounts to authenticate requests made during a build.

As Orca researchers discovered, if someone enables the Cloud Build API in a project, the product automatically creates a default service account to execute builds.

"We appreciate the work of the researchers and have incorporated a fix based on their report as outlined in a security bulletin issued in early June," Google told us.

"It's important that organizations pay close attention to the behavior of the default Google Cloud Build service account," Nisimi said, adding that applying the principle of least privilege is vital to reducing an organization's risk.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/07/24/infosec_in_brief/

#BOT #cloud #google #googlecloud

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Google		141	996	4895	2855	1622	10368

News URL

Related news

Related vendor