• About Us
  • Privacy & Policy
  • Terms Conditions
  • Contact Us
biztoplocation.space
  • Home
  • Tech Trends

    The best deals ahead of the October Big Deal Days sale and everything we know so far

    Google Maps will flag businesses with potentially fake reviews

    DoNotPay ‘robot lawyer’ fined $193K by the FTC for not being a lawyer

    Meta’s Orion holographic avatars will (eventually) be in VR too

    Google files EU antitrust complaint against Microsoft

    California’s ‘click to cancel’ subscription bill is signed into law

    Horizon Zero Dawn Remastered arrives October 31 on PS5 and PC

    Ghost of Yōtei is a Tsushima sequel coming to PS5 in 2025

    The Google Photos video editor is getting AI, because of course it is

  • AI News
    The Quantum Arms Race Isn’t Just About Tech, It’s About Who Controls the Narrative

    “🌀 The Quantum Arms Race: Who Holds the Key to Our Tech Future? 🌍🔑”

    New Survey Finds Balancing AI’s Ease of Use with Trust is Top of Business Leaders Minds

    Navigating the AI Frontier: Balancing Trust and Usability for Business Success 🤝✨

    Benjamin Harvey, Ph.D., Founder & CEO of AI Squared – Interview Series

    Unlocking the Future of AI: Dr. Benjamin Harvey’s Vision with AI Squared 🚀✨

    How to Realize Value from a GenAI-Enabled Workforce

    Maximize Your Business Potential: The Game-Changing Power of GenAI 🚀✨

    How Does AI Use Impact Critical Thinking?

    Navigating the AI Revolution: Boosting Critical Thinking in a Tech-Driven World 🤖✨

    From Evo 1 to Evo 2: How NVIDIA is Redefining Genomic Research and AI-Driven Biological Innovations

    Unlocking the Secrets of Life: How NVIDIA is Revolutionizing Genomic Research with AI 🚀🌟

    Jotform Review: The Best Form Builder or Just Overhyped?

    Unlocking the Truth: Is Jotform the Next Best Thing in Form Building? 🤔🚀✨

    The Road to Better AI-Based Video Editing

    Unlock Your Creative Potential: Explore the Future of AI in Video Editing! 🎥✨🚀

    Post-RAG Evolution: AI’s Journey from Information Retrieval to Real-Time Reasoning

    Unlocking AI’s Future: From Data Fetching to Real-Time Thinking 🤖✨

  • Cyber Security
    Russian APT29 Exploits Gmail App Passwords to Bypass 2FA in Targeted Phishing Campaign

    Unmasking the Threat: How APT29 Outsmarts Gmail’s 2FA! 🚨🔍✨

    New Malware Campaign Uses Cloudflare Tunnels to Deliver RATs via Phishing Chains

    Beware the Digital Shadows: How Cloudflare Tunnels Are Fueling Sneaky Malware Attacks! 🌐🚨

    Veeam Patches CVE-2025-23121: Critical RCE Bug Rated 9.9 CVSS in Backup & Replication

    Stay One Step Ahead: Veeam Patches Critical CVE-2025-23121 Vulnerability! 🚨🔒✨

    Backups Are Under Attack: How to Protect Your Backups

    Guard Your Data: Essential Strategies to Defend Your Backups from Ransomware! 🔒🚀

    PyPI, npm, and AI Tools Exploited in Malware Surge Targeting DevOps and Cloud Environments

    Exposing the Shadows: The Rising Malware Menace in PyPI, npm, and AI Tools 🚨🤖💻

    AI Agents Run on Secret Accounts — Learn How to Secure Them in This Webinar

    Unlock the Secrets to Safeguarding AI Agents! 🚀🔒 Join Our Exclusive Webinar!

    Former Black Basta Members Use Microsoft Teams and Python Scripts in 2025 Attacks

    Unmasking the New Threat: How Ex-Black Basta Hackers Are Targeting Microsoft Teams with Python 🕵️‍♂️⚠️

    295 Malicious IPs Launch Coordinated Brute-Force Attacks on Apache Tomcat Manager

    Exposing the Cyber Underworld: 🚨 295 Malicious IPs Targeting Apache Tomcat Manager! 🛡️💻

    INTERPOL Dismantles 20,000+ Malicious IPs Linked to 69 Malware Variants in Operation Secure

    🌟 Global Cybersecurity Breakthrough: How INTERPOL Took Down 20,000 Malicious IPs! 🌍🔒

  • Apps News
    The Quantum Arms Race Isn’t Just About Tech, It’s About Who Controls the Narrative

    “🌀 The Quantum Arms Race: Who Holds the Key to Our Tech Future? 🌍🔑”

    New Survey Finds Balancing AI’s Ease of Use with Trust is Top of Business Leaders Minds

    Navigating the AI Frontier: Balancing Trust and Usability for Business Success 🤝✨

    Benjamin Harvey, Ph.D., Founder & CEO of AI Squared – Interview Series

    Unlocking the Future of AI: Dr. Benjamin Harvey’s Vision with AI Squared 🚀✨

    How to Realize Value from a GenAI-Enabled Workforce

    Maximize Your Business Potential: The Game-Changing Power of GenAI 🚀✨

    How Does AI Use Impact Critical Thinking?

    Navigating the AI Revolution: Boosting Critical Thinking in a Tech-Driven World 🤖✨

    From Evo 1 to Evo 2: How NVIDIA is Redefining Genomic Research and AI-Driven Biological Innovations

    Unlocking the Secrets of Life: How NVIDIA is Revolutionizing Genomic Research with AI 🚀🌟

    Jotform Review: The Best Form Builder or Just Overhyped?

    Unlocking the Truth: Is Jotform the Next Best Thing in Form Building? 🤔🚀✨

    The Road to Better AI-Based Video Editing

    Unlock Your Creative Potential: Explore the Future of AI in Video Editing! 🎥✨🚀

    Post-RAG Evolution: AI’s Journey from Information Retrieval to Real-Time Reasoning

    Unlocking AI’s Future: From Data Fetching to Real-Time Thinking 🤖✨

  • Events

    Does Cannabis Belong at Business Events?

    Rising Event Costs to Challenge 2025 Budgets

    Event Tech and the Future of In-Person Networking

    Dubai To Invest $2.7 Billion in What Will Become the Largest Exhibition Venue in the Middle East

    The Old Playbook Will Not Work for Today’s Corporate Events

    Why Actual Face Time Beats Screen Time for Gen Z

    Breathe New Life Into Meetings in Whistler

    Oak View Group and OCESA Team Up to Offer Hospitality at Four Mexico City Venues

    Time to Chill: Planners’ Post-Meeting Rituals

No Result
View All Result
  • Home
  • Tech Trends

    The best deals ahead of the October Big Deal Days sale and everything we know so far

    Google Maps will flag businesses with potentially fake reviews

    DoNotPay ‘robot lawyer’ fined $193K by the FTC for not being a lawyer

    Meta’s Orion holographic avatars will (eventually) be in VR too

    Google files EU antitrust complaint against Microsoft

    California’s ‘click to cancel’ subscription bill is signed into law

    Horizon Zero Dawn Remastered arrives October 31 on PS5 and PC

    Ghost of Yōtei is a Tsushima sequel coming to PS5 in 2025

    The Google Photos video editor is getting AI, because of course it is

  • AI News
    The Quantum Arms Race Isn’t Just About Tech, It’s About Who Controls the Narrative

    “🌀 The Quantum Arms Race: Who Holds the Key to Our Tech Future? 🌍🔑”

    New Survey Finds Balancing AI’s Ease of Use with Trust is Top of Business Leaders Minds

    Navigating the AI Frontier: Balancing Trust and Usability for Business Success 🤝✨

    Benjamin Harvey, Ph.D., Founder & CEO of AI Squared – Interview Series

    Unlocking the Future of AI: Dr. Benjamin Harvey’s Vision with AI Squared 🚀✨

    How to Realize Value from a GenAI-Enabled Workforce

    Maximize Your Business Potential: The Game-Changing Power of GenAI 🚀✨

    How Does AI Use Impact Critical Thinking?

    Navigating the AI Revolution: Boosting Critical Thinking in a Tech-Driven World 🤖✨

    From Evo 1 to Evo 2: How NVIDIA is Redefining Genomic Research and AI-Driven Biological Innovations

    Unlocking the Secrets of Life: How NVIDIA is Revolutionizing Genomic Research with AI 🚀🌟

    Jotform Review: The Best Form Builder or Just Overhyped?

    Unlocking the Truth: Is Jotform the Next Best Thing in Form Building? 🤔🚀✨

    The Road to Better AI-Based Video Editing

    Unlock Your Creative Potential: Explore the Future of AI in Video Editing! 🎥✨🚀

    Post-RAG Evolution: AI’s Journey from Information Retrieval to Real-Time Reasoning

    Unlocking AI’s Future: From Data Fetching to Real-Time Thinking 🤖✨

  • Cyber Security
    Russian APT29 Exploits Gmail App Passwords to Bypass 2FA in Targeted Phishing Campaign

    Unmasking the Threat: How APT29 Outsmarts Gmail’s 2FA! 🚨🔍✨

    New Malware Campaign Uses Cloudflare Tunnels to Deliver RATs via Phishing Chains

    Beware the Digital Shadows: How Cloudflare Tunnels Are Fueling Sneaky Malware Attacks! 🌐🚨

    Veeam Patches CVE-2025-23121: Critical RCE Bug Rated 9.9 CVSS in Backup & Replication

    Stay One Step Ahead: Veeam Patches Critical CVE-2025-23121 Vulnerability! 🚨🔒✨

    Backups Are Under Attack: How to Protect Your Backups

    Guard Your Data: Essential Strategies to Defend Your Backups from Ransomware! 🔒🚀

    PyPI, npm, and AI Tools Exploited in Malware Surge Targeting DevOps and Cloud Environments

    Exposing the Shadows: The Rising Malware Menace in PyPI, npm, and AI Tools 🚨🤖💻

    AI Agents Run on Secret Accounts — Learn How to Secure Them in This Webinar

    Unlock the Secrets to Safeguarding AI Agents! 🚀🔒 Join Our Exclusive Webinar!

    Former Black Basta Members Use Microsoft Teams and Python Scripts in 2025 Attacks

    Unmasking the New Threat: How Ex-Black Basta Hackers Are Targeting Microsoft Teams with Python 🕵️‍♂️⚠️

    295 Malicious IPs Launch Coordinated Brute-Force Attacks on Apache Tomcat Manager

    Exposing the Cyber Underworld: 🚨 295 Malicious IPs Targeting Apache Tomcat Manager! 🛡️💻

    INTERPOL Dismantles 20,000+ Malicious IPs Linked to 69 Malware Variants in Operation Secure

    🌟 Global Cybersecurity Breakthrough: How INTERPOL Took Down 20,000 Malicious IPs! 🌍🔒

  • Apps News
    The Quantum Arms Race Isn’t Just About Tech, It’s About Who Controls the Narrative

    “🌀 The Quantum Arms Race: Who Holds the Key to Our Tech Future? 🌍🔑”

    New Survey Finds Balancing AI’s Ease of Use with Trust is Top of Business Leaders Minds

    Navigating the AI Frontier: Balancing Trust and Usability for Business Success 🤝✨

    Benjamin Harvey, Ph.D., Founder & CEO of AI Squared – Interview Series

    Unlocking the Future of AI: Dr. Benjamin Harvey’s Vision with AI Squared 🚀✨

    How to Realize Value from a GenAI-Enabled Workforce

    Maximize Your Business Potential: The Game-Changing Power of GenAI 🚀✨

    How Does AI Use Impact Critical Thinking?

    Navigating the AI Revolution: Boosting Critical Thinking in a Tech-Driven World 🤖✨

    From Evo 1 to Evo 2: How NVIDIA is Redefining Genomic Research and AI-Driven Biological Innovations

    Unlocking the Secrets of Life: How NVIDIA is Revolutionizing Genomic Research with AI 🚀🌟

    Jotform Review: The Best Form Builder or Just Overhyped?

    Unlocking the Truth: Is Jotform the Next Best Thing in Form Building? 🤔🚀✨

    The Road to Better AI-Based Video Editing

    Unlock Your Creative Potential: Explore the Future of AI in Video Editing! 🎥✨🚀

    Post-RAG Evolution: AI’s Journey from Information Retrieval to Real-Time Reasoning

    Unlocking AI’s Future: From Data Fetching to Real-Time Thinking 🤖✨

  • Events

    Does Cannabis Belong at Business Events?

    Rising Event Costs to Challenge 2025 Budgets

    Event Tech and the Future of In-Person Networking

    Dubai To Invest $2.7 Billion in What Will Become the Largest Exhibition Venue in the Middle East

    The Old Playbook Will Not Work for Today’s Corporate Events

    Why Actual Face Time Beats Screen Time for Gen Z

    Breathe New Life Into Meetings in Whistler

    Oak View Group and OCESA Team Up to Offer Hospitality at Four Mexico City Venues

    Time to Chill: Planners’ Post-Meeting Rituals

No Result
View All Result
biztoplocation.space
No Result
View All Result
Home Security

Google Fixes GCP Composer Flaw That Could’ve Led to Remote Code Execution

admin by admin
September 16, 2024
in Security
0
0
SHARES
0
VIEWS
Share on FacebookShare on Twitter

[ad_1]

Sep 16, 2024Ravie LakshmananCloud Security / Vulnerability

Google Fixes GCP Composer Flaw

A now-patched critical security flaw impacting Google Cloud Platform (GCP) Composer could have been exploited to achieve remote code execution on cloud servers by means of a supply chain attack technique called dependency confusion.

The vulnerability has been codenamed CloudImposer by Tenable Research.

“The vulnerability could have allowed an attacker to hijack an internal software dependency that Google pre-installs on each Google Cloud Composer pipeline-orchestration tool,” security researcher Liv Matan said in a report shared with The Hacker News.

Dependency confusion (aka substitution attack), which was first documented by security researcher Alex Birsan in February 2021, refers to a type of software supply chain compromise in which a package manager is tricked into pulling a malicious package from a public repository instead of the intended file of the same name from an internal repository.

Cybersecurity

So, a threat actor could stage a large-scale supply chain attack by publishing a counterfeit package to a public package repository with the same name as a package internally developed by companies and with a higher version number.

This, in turn, causes the package manager to unknowingly download the malicious package from the public repository instead of the private repository, effectively replacing the existing package dependency with its rogue counterpart.

The problem identified by Tenable is similar in that it could be abused to upload a malicious package to the Python Package Index (PyPI) repository with the name “google-cloud-datacatalog-lineage-producer-client,” which could then be preinstalled on all Composer instances with elevated permissions.

While Cloud Composer requires that the package in question is version-pinned (i.e., version 0.1.0), Tenable found that using the “–extra-index-url” argument during a “pip install” command prioritizes fetching the package from the public registry, thereby opening the door to dependency confusion.

Armed with this privilege, attackers could execute code, exfiltrate service account credentials, and move laterally in the victim’s environment to other GCP services.

Following responsible disclosure on January 18, 2024, it was fixed by Google in May 2024 by ensuring that the package is only installed from a private repository. It has also added the extra precaution of verifying the package’s checksum in order to confirm its integrity and validate that it has not been tampered with.

The Python Packaging Authority (PyPA) is said to have been aware of the risks posed by the “–extra-index-url” argument since at least March 2018, urging users to skip using PyPI in cases where the internal package needs to be pulled.

Cybersecurity

“Packages are expected to be unique up to name and version, so two wheels with the same package name and version are treated as indistinguishable by pip,” a PyPA member noted at the time. “This is a deliberate feature of the package metadata, and not likely to change.”

Google, as part of its fix, now also recommends that developers use the “–index-url” argument instead of the “–extra-index-url” argument and that GCP customers make use of an Artifact Registry virtual repository when requiring multiple repositories.

“The ‘–index-url’ argument reduces the risk of dependency confusion attacks by only searching for packages in the registry that was defined as a given value for that argument,” Matan said.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.



[ad_2]

Source link

Previous Post

Behind the Scenes of Skift Meetings Forum 2024

Next Post

Apple’s 13-inch M2 iPad Air is back on sale for $720

admin

admin

Next Post

Apple's 13-inch M2 iPad Air is back on sale for $720

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Stay Connected test

  • 23.9k Followers
  • 99 Subscribers
  • Trending
  • Comments
  • Latest
CERT-UA Warns: Dark Crystal RAT Targets Ukrainian Defense via Malicious Signal Messages

Cybersecurity Under Siege: The Dark Crystal RAT Targets Ukraine’s Defense! 🚨🔒

March 20, 2025
Voyantis Secures $41M to Revolutionize AI-Driven Growth Strategies

Unlocking Growth: How Voyantis’ $41M AI Revolution is Changing the Game for Businesses 🌟💼

February 14, 2025

Oak View Group and OCESA Team Up to Offer Hospitality at Four Mexico City Venues

September 24, 2024
Explore Fully Operational Cockpits and Aircraft with Aerofly FS Global Mobile Flight Simulator

Soar Beyond Limits: Experience the Ultimate Flight Adventure with Aerofly FS Global! ✈️🌍✨

November 22, 2024

Nth Degree Targets Strategic Acquisitions with New Backing from Shamrock Capital

0

5 Best Classic App Store Games

0

Apple Vision Pro Vulnerability Exposed Virtual Keyboard Inputs to Attackers

0

The best iPad accessories for 2024

0
Grab Your Can-Do Attitude and Download Boxville 2

Unleash Your Imagination: Dive into the Whimsical World of Boxville 2! 🎮✨🧩

June 28, 2025
Marvel Mystic Mayhem Arrives on the App Store Featuring Superhero RPG Battles

Unleash Your Inner Hero: Dive into Marvel Mystic Mayhem Now! 🦸‍♀️✨

June 27, 2025
4 Best Brain Training Apps and Games

Unlock Your Brain’s Potential: Top 4 Apps to Supercharge Your Mind! 🧠🚀✨

June 25, 2025
5 Great Cocktail and Drink Apps

Sip, Savor & Shake: Top 5 Cocktail Apps Every Drink Lover Needs! 🍹📲

June 24, 2025

Recent News

Grab Your Can-Do Attitude and Download Boxville 2

Unleash Your Imagination: Dive into the Whimsical World of Boxville 2! 🎮✨🧩

June 28, 2025
Marvel Mystic Mayhem Arrives on the App Store Featuring Superhero RPG Battles

Unleash Your Inner Hero: Dive into Marvel Mystic Mayhem Now! 🦸‍♀️✨

June 27, 2025
4 Best Brain Training Apps and Games

Unlock Your Brain’s Potential: Top 4 Apps to Supercharge Your Mind! 🧠🚀✨

June 25, 2025
5 Great Cocktail and Drink Apps

Sip, Savor & Shake: Top 5 Cocktail Apps Every Drink Lover Needs! 🍹📲

June 24, 2025

Biz Top News

At Biz Top News, we provide the latest updates and insights on technology, from AI and cybersecurity to apps and cryptocurrency. Stay informed with our expert analysis and breaking news.

Browse by Category

  • AI News
  • Apps
  • Crypto
  • Events
  • Security
  • Tech Trends
  • Uncategorized

About

  • About Us
  • Privacy & Policy
  • Terms Conditions
  • Contact Us

    © 2025 Biztoplocation - All rights reserved.

    No Result
    View All Result

    © 2025 Biztoplocation - All rights reserved.