Research disclosed a now-patched high-severity vulnerability in Google Cloud Platform’s (GCP) Cloud Composer service, dubbed ConfusedComposer.
It could have allowed attackers to hijack cloud workflows and gain control over critical resources. The flaw highlights risks in automated cloud service orchestration.
Cloud Composer, GCP’s managed Apache Airflow service for workflow automation, relies on Cloud Build (GCP’s CI/CD tool) to install custom Python PyPI packages.
Tenable found that an attacker with the composer.environments.update permission could inject a malicious PyPI package into a Composer environment.
When Cloud Build installs such packages, it automatically runs pre-/post-installation scripts via Python’s Pip tool.
Attackers could exploit this to execute arbitrary code within the Cloud Build instance tied to the default Cloud Build service account—a highly privileged identity with permissions to:
“This bypassed the need for direct access to Cloud Build or Composer service accounts,” said Tenable researcher Gavin Milnthorpe. “The trusted automation pipeline became the attack vector.”
Google resolved the flaw by reconfiguring Composer to use its own service account (with limited permissions) instead of the default Cloud Build account during PyPI installations. Key actions include:
ConfusedComposer follows 2024’s ConfusedFunction vulnerability, part of a pattern Tenable calls Jenga®-style attacks.
These exploit hidden permissions in cloud services that automatically provision resources (e.g., serverless functions, CI/CD pipelines).
“Cloud providers abstract complexity, but this creates blind spots,” Milnthorpe noted. “Attackers chain these ‘behind-the-scenes’ services to escalate access.”
Google confirmed no active exploits were detected before the patch. However, the flaw underscores the need for rigorous oversight in multi-service cloud environments.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Security researchers have uncovered multiple critical vulnerabilities in Versa Concerto, a widely deployed network security…
Coinbase users have become the prime targets of an intricate social engineering campaign since early…
The AhnLab Security Intelligence Center (ASEC) has uncovered a new strain of backdoor malware being…
GitLab has issued critical security patches addressing 11 vulnerabilities across its Community Edition (CE) and…
Cisco has disclosed a significant security vulnerability in its Identity Services Engine (ISE) that could…
The High-severity cross-site scripting (XSS) vulnerability has been discovered in Grafana, prompting the immediate release…