catalog logoThe IAM Privilege Catalog

services / Google Cloud / Cloud Run Jobs

A Cloud Run job is used for running code that executes for a period of time and exits once complete. Jobs may be executed on a one-off basis, a recurring schedule, or as part of a workflow.

Cloud run jobs may be used for important organizational tasks, such as processing of sensitive data.

run.​jobs.​update

Allows an attacker to update settings for a job, including CPU/memory limits, timeouts, retries, the values of environment variables, and the container entrypoint command and arguments. Depending on the job and the contents of environment variables and arguments, this may allow the attacker to hijack the job for their own purposes, manipulate organizational data, or store output data in a location accessible to the attacker. Changing CPU/memory limits or increasing retries can incur spend, and changing timeouts, reducing retries, or manipulating arguments/environment variables can create a DOS.

Risks

  1. Data exfiltration (CRITICAL)
  2. Data manipulation (HIGH)
  3. Denial-of-service (HIGH)
  4. Resource hijacking (MEDIUM)
  5. Spend (MEDIUM)

Scope: HIGH

This privilege may grant access to sensitive data from a single organizational function, or allow interruption of a service supporting a single organizational function.

Links

  • https:​/​/​cloud.​google.​com/​run/​docs/​resource-​model
  • https:​/​/​cloud.​google.​com/​run/​docs/​managing/​jobs
  • https:​/​/​cloud.​google.​com/​run/​docs/​reference/​rest/​v1/​namespaces.​jobs
  • https:​/​/​cloud.​google.​com/​run/​docs/​create-​jobs

    • Contributed by P0 Security

    © 2023–present P0 Security and contributors to the IAM Privilege Catalog