Fleet Google Calendar Credential Exposure Vulnerability for Low-Privilege Users

A vulnerability exists in Fleet's configuration API in versions prior to 4.80.1, allowing authenticated users with low-privilege roles to access Google Calendar service account credentials. This exposure could lead to unauthorized access to Google Calendar resources linked to the service account. The issue arises because Fleet's API endpoint, available to all authenticated users including those with the 'Observer' role, fails to properly obfuscate Google Calendar service account credentials before returning them. Consequently, a low-privilege user could obtain the service account's private key material, potentially gaining unauthorized access to calendar data or other Google Workspace resources associated with the service account. However, this vulnerability does not permit privilege escalation within Fleet or access to device management features.

Impact

The vulnerability allows low-privilege users to access sensitive Google Calendar service account credentials, including private key material, which could be used to access calendar data or other Google Workspace resources linked to the service account.

Remediation

Users can upgrade to Fleet version 4.80.1 or later to address this vulnerability. If an immediate upgrade is not possible, administrators should remove the Google Calendar integration from Fleet and rotate the affected Google service account credentials.