catalog logoThe IAM Privilege Catalog

services / Google Cloud / Google App Engine services

A service is a logical component of an application that can share state and securely communicate with other services.

Application functionality relies on services: deleting or updating services can prevent normal application function.

appengine.​services.​update

Allows modifying network traffic settings. An attacker could divert traffic to invalid versions, creating a DOS. Defacement impact when combined with versions.create, since they could deploy a version and then divert traffic to it. Also allows modifying ingress traffic settings, which could either lead to escalation by making access public, or restrict previously authorized access by narrowing the policy.

Risks

  1. Policy destruction (CRITICAL)
  2. Defacement (HIGH)
  3. Denial-of-service (HIGH)
  4. Lateral movement (BOOST)
  5. Denial-of-access (EVASION)

Scope: CRITICAL

This privilege may grant access to sensitive data from a significant fraction of organizational functions, allow interruption of critical organizational services, or its exploit could lead to significant privilege escalation.

Links

  • https:​/​/​cloud.​google.​com/​appengine/​docs/​admin-​api/​access-​control#​roles
  • https:​/​/​cloud.​google.​com/​appengine/​docs/​admin-​api/​reference/​rest/​v1/​apps.​services

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog