Google told researcher 'Nice catch!' Then denied bug bounty for flaw it still hasn't fixed
ID: dc247833-c1b4-59d9-9dac-8c0719fdbcea
STIX ID: report--dc247833-c1b4-59d9-9dac-8c0719fdbcea
Feed Name: The Register (Security)
Threat Score
### Executive summary A security researcher disclosed "ConfigConfusion," a missing-authorization vulnerability in Google's open-source Config Connector Kubernetes operator that allows an attacker with kubectl access to a namespace to submit a malicious IAMPolicyMember and be promoted to GCP Organization Owner using the operator's elevated service account; Google initially classified the bug as P1/S1 but later declined a bounty and has not issued a CVE or patch.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
