gcloud-certificate-validity-exceeded: Exceeded SSL Certificate Validity Period

日期: 2025-08-01 | 影响软件: gcloud certificate validity exceeded | POC: 已公开

漏洞描述

Ensure that SSL certificates managed with Google Cloud Certificate Manager don't have a validity period greater than 398 days (13 months). This is to enhance security by reducing the risk of certificate compromise and misuse, while aligning with industry standards and support from modern web browsers.

PoC代码[已公开]

id: gcloud-certificate-validity-exceeded

info:
  name: Exceeded SSL Certificate Validity Period
  author: princechaddha
  severity: medium
  description: |
    Ensure that SSL certificates managed with Google Cloud Certificate Manager don't have a validity period greater than 398 days (13 months). This is to enhance security by reducing the risk of certificate compromise and misuse, while aligning with industry standards and support from modern web browsers.
  impact: |
    An SSL certificate with a validity period exceeding 398 days poses a higher risk of compromise and misuse. It also fails to comply with industry standards, potentially leading to incompatibilities or security warnings in web browsers.
  remediation: |
    Review and adjust the renewal configurations for SSL certificates to ensure their validity periods do not exceed 398 days.
  reference:
    - https://cloud.google.com/certificate-manager/docs
  tags: cloud,devops,gcp,gcloud,certificate-manager,gcp-cloud-config

flow: |
  code(1)
  for(let projectId of iterate(template.projectIds)){
    set("projectId", projectId)
    code(2)
    for(let certificate of iterate(template.certificates)){
      set("certificateName", certificate)
      code(3)
    }
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud projects list --format="json(projectId)"

    extractors:
      - type: json
        name: projectIds
        internal: true
        json:
          - '.[].projectId'

  - engine:
      - sh
      - bash
    source: |
      gcloud certificate-manager certificates list --project $projectId --format="json(name)"

    extractors:
      - type: json
        name: certificates
        internal: true
        json:
          - '.[].name'

  - engine:
      - sh
      - bash
    source: |
      gcloud certificate-manager certificates describe $certificateName --project $projectId --format="json(createTime,expireTime)" | jq '[(.expireTime | fromdateiso8601) - (.createTime | fromdateiso8601) < 34444800] | any'

    matchers:
      - type: word
        words:
          - 'false'

    extractors:
      - type: dsl
        dsl:
          - '"Non-compliant SSL Certificate: " + certificateName + " in Project: " + projectId + " with Expiry beyond 398 days"'
# digest: 490a004630440220249ea895515d2fc98d8c0890a791e1ab9758411dd16248ba4da5dc9379dba072022034c8195a381830f12737dbc03be0daf4756d73906fb9e9a50a117c8349cee3bf:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/gcp/certificatemanager/gcloud-certificate-validity-exceeded.yaml