catalog logoThe IAM Privilege Catalog

services / Google Cloud / Cloud Run Jobs

A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow.

Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.

run.​jobs.​runWithOverrides

Allows an attacker to run a job with overrides for the environment variables and arguments. Depending on the job and the contents of environment variables and arguments, this may allow the attacker to hijack the job for their own purposes, manipulate organizational data, or store output data in a location accessible to the attacker. Also includes a resource hijacking risk if combined with the create permission and iam.serviceAccounts.actAs on the Cloud Run service account.

Risks

  1. Data exfiltration (CRITICAL)
  2. Data manipulation (HIGH)
  3. Resource hijacking (MEDIUM)
  4. Spend (MEDIUM)

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​cloud.​google.​com/​run/​docs/​resource-​model
  • https:​/​/​cloud.​google.​com/​run/​docs/​managing/​jobs
  • https:​/​/​cloud.​google.​com/​run/​docs/​reference/​rest/​v1/​namespaces.​jobs
  • https:​/​/​cloud.​google.​com/​run/​docs/​create-​jobs

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog