Add Asset Key Thief - Githubissues

wiz-sec / open-cvdb

An open project to list all publicly known cloud vulnerabilities and CSP security issues

https://cloudvulndb.org

Creative Commons Attribution 4.0 International

306 stars 61 forks source link

Add Asset Key Thief #170

Closed 0xdabbad00 closed 1 year ago

0xdabbad00 commented 1 year ago

This issue, impacting GCP, allowed someone with the permissioncloudasset.assets.searchAllResources to use the Cloud Asset Inventory API to read Google Cloud Service Account private keys. This is privilege escalation so this should have a severity of Medium (or possibly High).

https://engineering.sada.com/asset-key-thief-disclosure-cfae4f1778b6

amccarthy-figma commented 1 year ago

https://www.cloudvulndb.org/asset-key-thief?

0xdabbad00 commented 1 year ago

Oof, good catch. Thank you.