Add the feed URL directly to your feed reader: https://cloud.google.com/feeds/cloudbuild-security-bulletins.xml
GCP-2023-013
Published: 2023-06-08
Description
Description
Severity
Notes
When you enable the Cloud Build API in a project,
Cloud Build automatically creates a
default service account to
execute builds on your behalf. This Cloud Build legacy service account
previously had the logging.privateLogEntries.list IAM
permission, which allowed the build to have access to list private logs by default.
This permission has now been revoked from the Cloud Build service
account to adhere to the
security principle of least privilege.
What should I do?
No further user action is required. The logging.privateLogEntries.list
IAM permission has been revoked from the
Cloud Build legacy service account and the fix has been rolled out.
What vulnerabilities are addressed by this patch?
This vulnerability granted builds the permission to list private logs.
Since the logging.privateLogEntries.list IAM
permission has now been revoked from the Cloud Build legacy service account,
builds no longer have access to list private logs by default.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-05 UTC."],[[["This page provides information on security bulletins related to Cloud Build."],["The `logging.privateLogEntries.list` IAM permission was previously granted to the Cloud Build default service account, allowing access to private logs, but it has now been revoked."],["The change to remove the logging permission from the Cloud Build service account addresses the vulnerability of builds having access to list private logs by default, adhering to the principle of least privilege."],["No user action is needed as the fix for the Cloud Build service account permission has already been implemented."],["You can subscribe to receive the latest security bulletins by either adding the page's URL or the feed URL to your feed reader."]]],[]]