VDB
GCVE-110-CLOUD-2021-0002
GCVE-110-CLOUD-2021-0002
Advisory Published
Dataflow worker nodes ran an unauthenticated Java Management Extensions (JMX) service that under
certain circumstances would be exposed to the Internet, thus allowing unauthenticated remote code
execution (RCE) as root in an unprivileged container. The impact of the vulnerability depended on
which service account qA assigned to Dataflow worker nodes (by default, that would be the Google
Compute Engine default service account, which has the project-wide Editor role assigned).
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| GCP | Dataflow | — | — |
| GCP | Compute Engine | — | — |
| GCP | Cloud Shell | — | — |
| Azure | Active Directory | — | — |
| Azure | AAD | — | — |
| GCP | Cloud Services | — | — |
| Azure | Cloud Services | — | — |
Aliases
References
Google Cloud Shell command injection
advisory
Browse GCVE Records
73,393 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.