Security Issue in Vertex Gemini API Allows Data Exfiltration
CVE-2024-12236

6.8MEDIUM

Key Information:

Vendor
CVE Published:
10 December 2024

What is CVE-2024-12236?

A security issue exists in Vertex Gemini API for customers using VPC-SC. By utilizing a custom crafted file URI for image input, data exfiltration is possible due to requests being routed outside the VPC-SC security perimeter, circumventing the intended security restrictions of VPC-SC.

No further fix actions are needed. Google Cloud Platform implemented a fix to return an error message when a media file URL is specified in the fileUri parameter and VPC Service Controls is enabled. Other use cases are unaffected.

Affected Version(s)

Vertex Gemini API 0

References

CVSS V4

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2024-12236 : Security Issue in Vertex Gemini API Allows Data Exfiltration