• About Us
  • Privacy & Policy
  • Terms Conditions
  • Contact Us
biztoplocation.space
  • Home
  • Tech Trends

    The best deals ahead of the October Big Deal Days sale and everything we know so far

    Google Maps will flag businesses with potentially fake reviews

    DoNotPay ‘robot lawyer’ fined $193K by the FTC for not being a lawyer

    Meta’s Orion holographic avatars will (eventually) be in VR too

    Google files EU antitrust complaint against Microsoft

    California’s ‘click to cancel’ subscription bill is signed into law

    Horizon Zero Dawn Remastered arrives October 31 on PS5 and PC

    Ghost of Yōtei is a Tsushima sequel coming to PS5 in 2025

    The Google Photos video editor is getting AI, because of course it is

  • AI News
    The Quantum Arms Race Isn’t Just About Tech, It’s About Who Controls the Narrative

    “🌀 The Quantum Arms Race: Who Holds the Key to Our Tech Future? 🌍🔑”

    New Survey Finds Balancing AI’s Ease of Use with Trust is Top of Business Leaders Minds

    Navigating the AI Frontier: Balancing Trust and Usability for Business Success 🤝✨

    Benjamin Harvey, Ph.D., Founder & CEO of AI Squared – Interview Series

    Unlocking the Future of AI: Dr. Benjamin Harvey’s Vision with AI Squared 🚀✨

    How to Realize Value from a GenAI-Enabled Workforce

    Maximize Your Business Potential: The Game-Changing Power of GenAI 🚀✨

    How Does AI Use Impact Critical Thinking?

    Navigating the AI Revolution: Boosting Critical Thinking in a Tech-Driven World 🤖✨

    From Evo 1 to Evo 2: How NVIDIA is Redefining Genomic Research and AI-Driven Biological Innovations

    Unlocking the Secrets of Life: How NVIDIA is Revolutionizing Genomic Research with AI 🚀🌟

    Jotform Review: The Best Form Builder or Just Overhyped?

    Unlocking the Truth: Is Jotform the Next Best Thing in Form Building? 🤔🚀✨

    The Road to Better AI-Based Video Editing

    Unlock Your Creative Potential: Explore the Future of AI in Video Editing! 🎥✨🚀

    Post-RAG Evolution: AI’s Journey from Information Retrieval to Real-Time Reasoning

    Unlocking AI’s Future: From Data Fetching to Real-Time Thinking 🤖✨

  • Cyber Security
    Fake Kling AI Facebook Ads Deliver RAT Malware to Over 22 Million Potential Victims

    🚨 Beware of Kling AI! The Social Media Scam You Can’t Afford to Ignore 🚨

    How to Detect Phishing Attacks Faster: Tycoon2FA Example

    “🚨 Mastering the Art of Phishing Detection: Stay One Step Ahead in 2023! 🔍✨”

    The Crowded Battle: Key Insights from the 2025 State of Pentesting Report

    🛡️ Unleashing Cyber Resilience: Mastering Pentesting Strategies for 2025 🚀

    Fileless Remcos RAT Delivered via LNK Files and MSHTA in PowerShell-Based Attacks

    🚨 Unmasking the Threat: How Fileless Remcos RAT Uses LNK Files to Outwit Your Security! 🖥️💻

    Malicious npm Package Leverages Unicode Steganography, Google Calendar as C2 Dropper

    Unmasking Cyber Deception: How an npm Package Uses Unicode and Google Calendar for Sneaky Attacks! 🕵️‍♂️📅

    BianLian and RansomExx Exploit SAP NetWeaver Flaw to Deploy PipeMagic Trojan

    Stay Safe from Cyber Shadows: How BianLian & RansomExx Target SAP NetWeaver 🛡️🚨

    Xinbi Telegram Market Tied to $8.4B in Crypto Crime, Romance Scams, North Korea Laundering

    Unveiling the Dark Secrets of Xinbi: How a Telegram Marketplace is Fuelling $8.4 Billion in Crypto Crimes 🔍💰

    CTM360 Identifies Surge in Phishing Attacks Targeting Meta Business Users

    🚨 Stop the Phish: Essential Tips to Protect Your Meta Business Account! 🛡️💼

    China-Linked APTs Exploit SAP CVE-2025-31324 to Breach 581 Critical Systems Worldwide

    🚨 Unmasking the Danger: How China-Linked Cyber Groups are Targeting SAP Vulnerabilities! 🛡️🌐

  • Apps News
    The Quantum Arms Race Isn’t Just About Tech, It’s About Who Controls the Narrative

    “🌀 The Quantum Arms Race: Who Holds the Key to Our Tech Future? 🌍🔑”

    New Survey Finds Balancing AI’s Ease of Use with Trust is Top of Business Leaders Minds

    Navigating the AI Frontier: Balancing Trust and Usability for Business Success 🤝✨

    Benjamin Harvey, Ph.D., Founder & CEO of AI Squared – Interview Series

    Unlocking the Future of AI: Dr. Benjamin Harvey’s Vision with AI Squared 🚀✨

    How to Realize Value from a GenAI-Enabled Workforce

    Maximize Your Business Potential: The Game-Changing Power of GenAI 🚀✨

    How Does AI Use Impact Critical Thinking?

    Navigating the AI Revolution: Boosting Critical Thinking in a Tech-Driven World 🤖✨

    From Evo 1 to Evo 2: How NVIDIA is Redefining Genomic Research and AI-Driven Biological Innovations

    Unlocking the Secrets of Life: How NVIDIA is Revolutionizing Genomic Research with AI 🚀🌟

    Jotform Review: The Best Form Builder or Just Overhyped?

    Unlocking the Truth: Is Jotform the Next Best Thing in Form Building? 🤔🚀✨

    The Road to Better AI-Based Video Editing

    Unlock Your Creative Potential: Explore the Future of AI in Video Editing! 🎥✨🚀

    Post-RAG Evolution: AI’s Journey from Information Retrieval to Real-Time Reasoning

    Unlocking AI’s Future: From Data Fetching to Real-Time Thinking 🤖✨

  • Events

    Does Cannabis Belong at Business Events?

    Rising Event Costs to Challenge 2025 Budgets

    Event Tech and the Future of In-Person Networking

    Dubai To Invest $2.7 Billion in What Will Become the Largest Exhibition Venue in the Middle East

    The Old Playbook Will Not Work for Today’s Corporate Events

    Why Actual Face Time Beats Screen Time for Gen Z

    Breathe New Life Into Meetings in Whistler

    Oak View Group and OCESA Team Up to Offer Hospitality at Four Mexico City Venues

    Time to Chill: Planners’ Post-Meeting Rituals

No Result
View All Result
  • Home
  • Tech Trends

    The best deals ahead of the October Big Deal Days sale and everything we know so far

    Google Maps will flag businesses with potentially fake reviews

    DoNotPay ‘robot lawyer’ fined $193K by the FTC for not being a lawyer

    Meta’s Orion holographic avatars will (eventually) be in VR too

    Google files EU antitrust complaint against Microsoft

    California’s ‘click to cancel’ subscription bill is signed into law

    Horizon Zero Dawn Remastered arrives October 31 on PS5 and PC

    Ghost of Yōtei is a Tsushima sequel coming to PS5 in 2025

    The Google Photos video editor is getting AI, because of course it is

  • AI News
    The Quantum Arms Race Isn’t Just About Tech, It’s About Who Controls the Narrative

    “🌀 The Quantum Arms Race: Who Holds the Key to Our Tech Future? 🌍🔑”

    New Survey Finds Balancing AI’s Ease of Use with Trust is Top of Business Leaders Minds

    Navigating the AI Frontier: Balancing Trust and Usability for Business Success 🤝✨

    Benjamin Harvey, Ph.D., Founder & CEO of AI Squared – Interview Series

    Unlocking the Future of AI: Dr. Benjamin Harvey’s Vision with AI Squared 🚀✨

    How to Realize Value from a GenAI-Enabled Workforce

    Maximize Your Business Potential: The Game-Changing Power of GenAI 🚀✨

    How Does AI Use Impact Critical Thinking?

    Navigating the AI Revolution: Boosting Critical Thinking in a Tech-Driven World 🤖✨

    From Evo 1 to Evo 2: How NVIDIA is Redefining Genomic Research and AI-Driven Biological Innovations

    Unlocking the Secrets of Life: How NVIDIA is Revolutionizing Genomic Research with AI 🚀🌟

    Jotform Review: The Best Form Builder or Just Overhyped?

    Unlocking the Truth: Is Jotform the Next Best Thing in Form Building? 🤔🚀✨

    The Road to Better AI-Based Video Editing

    Unlock Your Creative Potential: Explore the Future of AI in Video Editing! 🎥✨🚀

    Post-RAG Evolution: AI’s Journey from Information Retrieval to Real-Time Reasoning

    Unlocking AI’s Future: From Data Fetching to Real-Time Thinking 🤖✨

  • Cyber Security
    Fake Kling AI Facebook Ads Deliver RAT Malware to Over 22 Million Potential Victims

    🚨 Beware of Kling AI! The Social Media Scam You Can’t Afford to Ignore 🚨

    How to Detect Phishing Attacks Faster: Tycoon2FA Example

    “🚨 Mastering the Art of Phishing Detection: Stay One Step Ahead in 2023! 🔍✨”

    The Crowded Battle: Key Insights from the 2025 State of Pentesting Report

    🛡️ Unleashing Cyber Resilience: Mastering Pentesting Strategies for 2025 🚀

    Fileless Remcos RAT Delivered via LNK Files and MSHTA in PowerShell-Based Attacks

    🚨 Unmasking the Threat: How Fileless Remcos RAT Uses LNK Files to Outwit Your Security! 🖥️💻

    Malicious npm Package Leverages Unicode Steganography, Google Calendar as C2 Dropper

    Unmasking Cyber Deception: How an npm Package Uses Unicode and Google Calendar for Sneaky Attacks! 🕵️‍♂️📅

    BianLian and RansomExx Exploit SAP NetWeaver Flaw to Deploy PipeMagic Trojan

    Stay Safe from Cyber Shadows: How BianLian & RansomExx Target SAP NetWeaver 🛡️🚨

    Xinbi Telegram Market Tied to $8.4B in Crypto Crime, Romance Scams, North Korea Laundering

    Unveiling the Dark Secrets of Xinbi: How a Telegram Marketplace is Fuelling $8.4 Billion in Crypto Crimes 🔍💰

    CTM360 Identifies Surge in Phishing Attacks Targeting Meta Business Users

    🚨 Stop the Phish: Essential Tips to Protect Your Meta Business Account! 🛡️💼

    China-Linked APTs Exploit SAP CVE-2025-31324 to Breach 581 Critical Systems Worldwide

    🚨 Unmasking the Danger: How China-Linked Cyber Groups are Targeting SAP Vulnerabilities! 🛡️🌐

  • Apps News
    The Quantum Arms Race Isn’t Just About Tech, It’s About Who Controls the Narrative

    “🌀 The Quantum Arms Race: Who Holds the Key to Our Tech Future? 🌍🔑”

    New Survey Finds Balancing AI’s Ease of Use with Trust is Top of Business Leaders Minds

    Navigating the AI Frontier: Balancing Trust and Usability for Business Success 🤝✨

    Benjamin Harvey, Ph.D., Founder & CEO of AI Squared – Interview Series

    Unlocking the Future of AI: Dr. Benjamin Harvey’s Vision with AI Squared 🚀✨

    How to Realize Value from a GenAI-Enabled Workforce

    Maximize Your Business Potential: The Game-Changing Power of GenAI 🚀✨

    How Does AI Use Impact Critical Thinking?

    Navigating the AI Revolution: Boosting Critical Thinking in a Tech-Driven World 🤖✨

    From Evo 1 to Evo 2: How NVIDIA is Redefining Genomic Research and AI-Driven Biological Innovations

    Unlocking the Secrets of Life: How NVIDIA is Revolutionizing Genomic Research with AI 🚀🌟

    Jotform Review: The Best Form Builder or Just Overhyped?

    Unlocking the Truth: Is Jotform the Next Best Thing in Form Building? 🤔🚀✨

    The Road to Better AI-Based Video Editing

    Unlock Your Creative Potential: Explore the Future of AI in Video Editing! 🎥✨🚀

    Post-RAG Evolution: AI’s Journey from Information Retrieval to Real-Time Reasoning

    Unlocking AI’s Future: From Data Fetching to Real-Time Thinking 🤖✨

  • Events

    Does Cannabis Belong at Business Events?

    Rising Event Costs to Challenge 2025 Budgets

    Event Tech and the Future of In-Person Networking

    Dubai To Invest $2.7 Billion in What Will Become the Largest Exhibition Venue in the Middle East

    The Old Playbook Will Not Work for Today’s Corporate Events

    Why Actual Face Time Beats Screen Time for Gen Z

    Breathe New Life Into Meetings in Whistler

    Oak View Group and OCESA Team Up to Offer Hospitality at Four Mexico City Venues

    Time to Chill: Planners’ Post-Meeting Rituals

No Result
View All Result
biztoplocation.space
No Result
View All Result
Home Security

Google Fixes GCP Composer Flaw That Could’ve Led to Remote Code Execution

admin by admin
September 16, 2024
in Security
0
0
SHARES
0
VIEWS
Share on FacebookShare on Twitter

[ad_1]

Sep 16, 2024Ravie LakshmananCloud Security / Vulnerability

Google Fixes GCP Composer Flaw

A now-patched critical security flaw impacting Google Cloud Platform (GCP) Composer could have been exploited to achieve remote code execution on cloud servers by means of a supply chain attack technique called dependency confusion.

The vulnerability has been codenamed CloudImposer by Tenable Research.

“The vulnerability could have allowed an attacker to hijack an internal software dependency that Google pre-installs on each Google Cloud Composer pipeline-orchestration tool,” security researcher Liv Matan said in a report shared with The Hacker News.

Dependency confusion (aka substitution attack), which was first documented by security researcher Alex Birsan in February 2021, refers to a type of software supply chain compromise in which a package manager is tricked into pulling a malicious package from a public repository instead of the intended file of the same name from an internal repository.

Cybersecurity

So, a threat actor could stage a large-scale supply chain attack by publishing a counterfeit package to a public package repository with the same name as a package internally developed by companies and with a higher version number.

This, in turn, causes the package manager to unknowingly download the malicious package from the public repository instead of the private repository, effectively replacing the existing package dependency with its rogue counterpart.

The problem identified by Tenable is similar in that it could be abused to upload a malicious package to the Python Package Index (PyPI) repository with the name “google-cloud-datacatalog-lineage-producer-client,” which could then be preinstalled on all Composer instances with elevated permissions.

While Cloud Composer requires that the package in question is version-pinned (i.e., version 0.1.0), Tenable found that using the “–extra-index-url” argument during a “pip install” command prioritizes fetching the package from the public registry, thereby opening the door to dependency confusion.

Armed with this privilege, attackers could execute code, exfiltrate service account credentials, and move laterally in the victim’s environment to other GCP services.

Following responsible disclosure on January 18, 2024, it was fixed by Google in May 2024 by ensuring that the package is only installed from a private repository. It has also added the extra precaution of verifying the package’s checksum in order to confirm its integrity and validate that it has not been tampered with.

The Python Packaging Authority (PyPA) is said to have been aware of the risks posed by the “–extra-index-url” argument since at least March 2018, urging users to skip using PyPI in cases where the internal package needs to be pulled.

Cybersecurity

“Packages are expected to be unique up to name and version, so two wheels with the same package name and version are treated as indistinguishable by pip,” a PyPA member noted at the time. “This is a deliberate feature of the package metadata, and not likely to change.”

Google, as part of its fix, now also recommends that developers use the “–index-url” argument instead of the “–extra-index-url” argument and that GCP customers make use of an Artifact Registry virtual repository when requiring multiple repositories.

“The ‘–index-url’ argument reduces the risk of dependency confusion attacks by only searching for packages in the registry that was defined as a given value for that argument,” Matan said.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.



[ad_2]

Source link

Previous Post

Behind the Scenes of Skift Meetings Forum 2024

Next Post

Apple’s 13-inch M2 iPad Air is back on sale for $720

admin

admin

Next Post

Apple's 13-inch M2 iPad Air is back on sale for $720

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Stay Connected test

  • 23.9k Followers
  • 99 Subscribers
  • Trending
  • Comments
  • Latest
CERT-UA Warns: Dark Crystal RAT Targets Ukrainian Defense via Malicious Signal Messages

Cybersecurity Under Siege: The Dark Crystal RAT Targets Ukraine’s Defense! 🚨🔒

March 20, 2025
Voyantis Secures $41M to Revolutionize AI-Driven Growth Strategies

Unlocking Growth: How Voyantis’ $41M AI Revolution is Changing the Game for Businesses 🌟💼

February 14, 2025

Oak View Group and OCESA Team Up to Offer Hospitality at Four Mexico City Venues

September 24, 2024

NYT mini crossword answers for September 22

September 22, 2024

Nth Degree Targets Strategic Acquisitions with New Backing from Shamrock Capital

0

5 Best Classic App Store Games

0

Apple Vision Pro Vulnerability Exposed Virtual Keyboard Inputs to Attackers

0

The best iPad accessories for 2024

0
Best New Games of May 2025

Top 5 Must-Play New Games of May 2025 🚀🎮 Unleash Your Gaming Adventure! 🌟

May 30, 2025
See Westeros in a New Light With Game of Thrones: Kingsroad

Discover Westeros Like Never Before: Your Epic Adventure Awaits with Game of Thrones: Kingsroad! 🏰✨🌍

May 28, 2025
Prostir Is a To-Do App for Stress-Free Planning

Unlock Your Zen: Transform Your To-Do List with Prostir! 📝✨

May 27, 2025
5 Best Games to Play Over the Long Weekend

Level Up Your Long Weekend: 5 Must-Play Games That Will Transform Your Gaming Experience! 🎮✨

May 23, 2025

Recent News

Best New Games of May 2025

Top 5 Must-Play New Games of May 2025 🚀🎮 Unleash Your Gaming Adventure! 🌟

May 30, 2025
See Westeros in a New Light With Game of Thrones: Kingsroad

Discover Westeros Like Never Before: Your Epic Adventure Awaits with Game of Thrones: Kingsroad! 🏰✨🌍

May 28, 2025
Prostir Is a To-Do App for Stress-Free Planning

Unlock Your Zen: Transform Your To-Do List with Prostir! 📝✨

May 27, 2025
5 Best Games to Play Over the Long Weekend

Level Up Your Long Weekend: 5 Must-Play Games That Will Transform Your Gaming Experience! 🎮✨

May 23, 2025

Biz Top News

At Biz Top News, we provide the latest updates and insights on technology, from AI and cybersecurity to apps and cryptocurrency. Stay informed with our expert analysis and breaking news.

Browse by Category

  • AI News
  • Apps
  • Crypto
  • Events
  • Security
  • Tech Trends
  • Uncategorized

About

  • About Us
  • Privacy & Policy
  • Terms Conditions
  • Contact Us

    © 2025 Biztoplocation - All rights reserved.

    No Result
    View All Result

    © 2025 Biztoplocation - All rights reserved.