VDB

GCVE-110-CLOUD-2023-0025

GCVE-110-CLOUD-2023-0025
Advisory Published
Vulnetix · Advisory published July 18, 2023
An information disclosure vulnerability in the Google Cloud Build service could have allowed an attacker to view sensitive logs if they had gained prior access to a GCP environment and had permission to create a new Cloud Build instance (cloudbuild.builds.create) or permission to directly impersonate the Cloud Build default service account (which is highly privileged by design and therefore considered to be a known privilege escalation vector in GCP). An attacker could then potentially use this information in order to better facilitate lateral movement, privilege escalation or a supply chain attack by other means. This issue was due to excessive permissions granted to the default service account created by Cloud Build, particularly access to audit logs containing all project permissions (logging.privateLogEntries.list).

Affected Products

VendorProductVersionsPlatforms
GCPCloud Build

References

Bad.Build
advisory
advisory
advisory

Browse GCVE Records

73,834 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›