VDB

GCVE-110-CLOUD-2021-0002

GCVE-110-CLOUD-2021-0002
Advisory Published
Vulnetix · Advisory published December 28, 2021
Dataflow worker nodes ran an unauthenticated Java Management Extensions (JMX) service that under certain circumstances would be exposed to the Internet, thus allowing unauthenticated remote code execution (RCE) as root in an unprivileged container. The impact of the vulnerability depended on which service account qA assigned to Dataflow worker nodes (by default, that would be the Google Compute Engine default service account, which has the project-wide Editor role assigned).

Affected Products

VendorProductVersionsPlatforms
GCPDataflow
GCPCompute Engine
GCPCloud Shell
AzureActive Directory
AzureAAD
GCPCloud Services
AzureCloud Services

References

advisory
advisory
advisory
advisory
advisory
advisory
advisory

Browse GCVE Records

73,393 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›