Source: www.securityweek.com – Author: Eduard Kovacs
Google Cloud recently patched a privilege escalation vulnerability that could have allowed threat actors to gain access to sensitive information.
The vulnerability, discovered by researchers at Tenable, has been named ImageRunner because it impacts Cloud Run, a fully managed serverless platform that allows developers to deploy and run containerized applications directly on Google’s infrastructure.
Google Cloud told SecurityWeek that it notified Cloud Run customers about the vulnerability in November 2024, and fully deployed a security enhancement to address the issue on January 28, 2025.
According to Tenable, the ImageRunner vulnerability could have been exploited by an attacker who had certain permissions on the targeted user’s project to modify a Cloud Run service, which could enable them to access sensitive or proprietary images.
In the worst case scenario, an attacker could have leveraged the flaw to extract secrets from a private image and exfiltrate sensitive data, Tenable said.
The security firm has published technical details and described the steps for conducting an ImageRunner attack.
A Google Cloud spokesperson said the update rolled out to address ImageRunner “ensures Cloud Run deployments now include an IAM check to ensure the deployer has read access to the container image. Previously, an explicit IAM permission was checked only when deploying a container image from another Google Cloud project.”
Related: Security Firms Say Evidence Seems to Confirm Oracle Cloud Hack
Advertisement. Scroll to continue reading.
Related: IngressNightmare Flaws Expose Kubernetes Clusters to Remote Hacking
Related: New AI Protection From Google Cloud Tackles AI Risks, Threats, and Compliance
Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
Daily Briefing Newsletter
Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.
Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.
Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.
Original Post URL: https://www.securityweek.com/imagerunner-flaw-exposed-sensitive-information-in-google-cloud/
Category & Tags: Cloud Security,cloud security,Google Cloud,ImageRunner – Cloud Security,cloud security,Google Cloud,ImageRunner
Views: 2
