![Mike Rockwell is Overhauling Siri's Leadership Team [Report]](https://www.iclarified.com/images/news/97096/97096/97096-640.jpg)
![Instagram Releases 'Edits' Video Creation App [Download]](https://www.iclarified.com/images/news/97097/97097/97097-640.jpg)
![Hands-On With 'iPhone 17 Air' Dummy Reveals 'Scary Thin' Design [Video]](https://www.iclarified.com/images/news/97100/97100/97100-640.jpg)
![Inside Netflix's Rebuild of the Amsterdam Apple Store for 'iHostage' [Video]](https://www.iclarified.com/images/news/97095/97095/97095-640.jpg)
![What iPhone 17 model are you most excited to see? [Poll]](https://9to5mac.com/wp-content/uploads/sites/6/2025/04/iphone-17-pro-sky-blue.jpg?quality=82&strip=all&w=290&h=145&crop=1)
![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![BPMN-procesmodellering [closed]](https://i.sstatic.net/l7l8q49F.png)
-The-Elder-Scrolls-IV-Oblivion-Remastered---Official-Reveal-00-18-14.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
Google Cloud Composer Vulnerability Let Attackers Elevate Their Privileges
A critical privilege-escalation vulnerability in Google Cloud Platform (GCP), dubbed “ConfusedComposer,” could have allowed attackers to gain elevated permissions to sensitive cloud resources. The vulnerability, now patched, enabled attackers with minimal permissions to potentially gain control over a highly privileged service account, offering a pathway to extensive project-wide access. The vulnerability resided in Google Cloud […] The post Google Cloud Composer Vulnerability Let Attackers Elevate Their Privileges appeared first on Cyber Security News.
A critical privilege-escalation vulnerability in Google Cloud Platform (GCP), dubbed “ConfusedComposer,” could have allowed attackers to gain elevated permissions to sensitive cloud resources.
The vulnerability, now patched, enabled attackers with minimal permissions to potentially gain control over a highly privileged service account, offering a pathway to extensive project-wide access.
The vulnerability resided in Google Cloud Composer, a fully managed workflow orchestration service based on Apache Airflow for scheduling and automating data pipelines.
GCP Composer Privilege Escalation Vulnerability
The flaw stemmed from how Cloud Composer interacts with Google Cloud Build, GCP’s continuous integration and delivery service.
Cloud Composer’s functionality to install custom PyPI packages in environments was at the core of the vulnerability.
When users specified custom PyPI packages, Cloud Composer would initiate a behind-the-scenes build process where the Cloud Composer service account would automatically provision a Cloud Build instance in the user’s project.
“An attacker with the composer.environments update permission could have abused the Cloud Composer service orchestration process to escalate privileges,” explained Tenable researchers, shared with Cyber Security News.
The attack methodology involved injecting a malicious PyPI package into the victim’s Composer custom-package configuration.
Technical Exploitation Path
The exploitation relied on how Pip, Python’s package installer, automatically executes pre- and post-package installation scripts.
Researchers demonstrated that attackers could execute arbitrary code within the Cloud Build environment through these installation scripts, despite lacking direct control over Composer’s underlying service account.
The privilege escalation occurred when the injected code accessed Cloud Build’s metadata API to extract the service account token.
Since the build instance runs with the default Cloud Build service account, which has broad permissions to Cloud Storage, Artifact Registry, Container Registry, and other services, attackers could gain elevated privileges across the victim’s GCP project.
Google has fixed the vulnerability by changing how Cloud Composer handles PyPI module installations.
“After implementing the fix, Composer stopped using the Cloud Build service account and instead will use the Composer environment service account for performing PyPI module installations,” noted the researchers.
The fix has been rolled out to new Composer instances, with existing instances scheduled to receive the update by April 2025.
Additionally, to improve security awareness, Google has updated Composer’s documentation around Access Control, Installing Python Dependencies, and Accessing the Airflow CLI.
This vulnerability falls into what Tenable researchers classify as a “Jenga” attack class, building upon another GCP privilege-escalation vulnerability called “ConfusedFunction” that they discovered last year.
These vulnerabilities exploit cloud provider misconfigurations related to service permissions and abuse interconnected services that cloud providers automatically deploy as part of service orchestration processes.
The discovery highlights the growing complexity of cloud security and the importance of properly configuring service account permissions in cloud environments, especially when dealing with automation pipelines that may involve multiple interconnected services.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
The post Google Cloud Composer Vulnerability Let Attackers Elevate Their Privileges appeared first on Cyber Security News.
