gcloud-disk-image-public-access: Disk Images Publicly Shared

日期: 2025-08-01 | 影响软件: gcloud disk image public access | POC: 已公开

漏洞描述

Ensure that your virtual machine disk images are not publicly shared with all other Google Cloud Platform (GCP) accounts in order to avoid exposing sensitive or confidential data. If required, you can share your disk images with specific GCP accounts only, without making them public.

PoC代码[已公开]

id: gcloud-disk-image-public-access

info:
  name: Disk Images Publicly Shared
  author: princechaddha
  severity: medium
  description: |
    Ensure that your virtual machine disk images are not publicly shared with all other Google Cloud Platform (GCP) accounts in order to avoid exposing sensitive or confidential data. If required, you can share your disk images with specific GCP accounts only, without making them public.
  impact: |
    Publicly shared disk images can expose sensitive application data and configurations to anyone with a Google Cloud account, potentially leading to security breaches.
  remediation: |
    Remove the "allAuthenticatedUsers" member from the IAM policy of affected disk images using the 'gcloud compute images remove-iam-policy-binding' command or through the Google Cloud Console.
  reference:
    - https://www.trendmicro.com/cloudoneconformity/knowledge-base/gcp/ComputeEngine/publicly-shared-disk-images.html
    - https://cloud.google.com/compute/docs/images/managing-access-custom-images
  tags: cloud,devops,gcp,gcloud,compute,security,storage,disk-images,gcp-cloud-config

flow: |
  code(1)
  for(let projectId of iterate(template.projectIds)){
    set("projectId", projectId)
    code(2)
    for(let image of iterate(template.images)){
      image = JSON.parse(image)
      set("imageName", image.name)
      code(3)
    }
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud projects list --format="json(projectId)"

    extractors:
      - type: json
        name: projectIds
        internal: true
        json:
          - '.[].projectId'

  - engine:
      - sh
      - bash
    source: |
      gcloud compute images list --project $projectId --no-standard-images --format="json(name)"

    extractors:
      - type: json
        name: images
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash
    source: |
      gcloud compute images get-iam-policy $imageName --project $projectId --format="json(bindings[].members[])"

    matchers:
      - type: word
        words:
          - '"allAuthenticatedUsers"'

    extractors:
      - type: dsl
        dsl:
          - '"Disk image " + imageName + " in project " + projectId + " is publicly shared with all Google Cloud users"'
# digest: 4a0a0047304502204f5fe6175038d8ae8f9ca04d4526a5b544ff323d1f60083d6a23c8369645a21502210097538dc98d9dc851d60cbc0f2f4c5987dcbb2d045ee56f3af740f364acc6ccc7:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/gcp/compute/gcloud-disk-image-public-access.yaml