gcloud-sql-contained-db-authentication-enabled: Contained Database Authentication Enabled in SQL Server Database Instances

日期: 2025-08-01 | 影响软件: gcloud sql | POC: 已公开

漏洞描述

Ensure that the "contained database authentication" database flag is disabled for your Google Cloud SQL Server database instances. This flag, when enabled, allows databases to contain their authentication and can potentially lead to security vulnerabilities.

PoC代码[已公开]

id: gcloud-sql-contained-db-authentication-enabled

info:
  name: Contained Database Authentication Enabled in SQL Server Database Instances
  author: princechaddha
  severity: medium
  description: |
    Ensure that the "contained database authentication" database flag is disabled for your Google Cloud SQL Server database instances. This flag, when enabled, allows databases to contain their authentication and can potentially lead to security vulnerabilities.
  impact: |
    Enabling the "contained database authentication" flag can introduce security risks by allowing databases to manage authentication independently, bypassing centralized security controls.
  remediation: |
    Disable the "contained database authentication" flag in your SQL Server database instance configuration to enhance security and enforce centralized authentication.
  reference:
    - https://cloud.google.com/sql/docs/sqlserver/flags
  tags: cloud,devops,gcp,gcloud,google-cloud-sql,sqlserver,gcp-cloud-config

flow: |
  code(1)
  for(let projectId of iterate(template.projectIds)){
    set("projectId", projectId)
    code(2)
    for(let sqlInstance of iterate(template.sqlInstances)){
      set("sqlInstance", sqlInstance)
      code(3)
    }
  }

self-contained: true

code:
  - engine:
      - sh
      - bash
    source: |
      gcloud projects list --format="json(projectId)"

    extractors:
      - type: json
        name: projectIds
        internal: true
        json:
          - '.[].projectId'

  - engine:
      - sh
      - bash
    source: |
      gcloud sql instances list --project $projectId --filter=DATABASE_VERSION:SQLSERVER* --format="json(name)"

    extractors:
      - type: json
        name: sqlInstances
        internal: true
        json:
          - '.[].name'

  - engine:
      - sh
      - bash
    source: |
      gcloud sql instances describe $sqlInstance --project $projectId --format=json | jq -r '.settings.databaseFlags[]? | select(.name=="contained database authentication") | .value // "null"'

    matchers:
      - type: word
        words:
          - 'on'

    extractors:
      - type: dsl
        dsl:
          - '"The contained database authentication flag is enabled for SQL Server instance " + sqlInstance + " in project " + projectId'
# digest: 4b0a004830460221009d7af3ce9bb0c3248c801ba776c3d94a4b60b1f7ac031e8ac0ec07726f637b76022100db7059bad1126aa8dfaf144495d992bd9cfac3635264e239a0f86d7885f50d20:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/gcp/sql/gcloud-sql-contained-db-authentication-enabled.yaml

相关漏洞推荐