Security Issue in Vertex Gemini API Allows Data Exfiltration
CVE-2024-12236

6.8MEDIUM

Key Information:

Vendor: Google Cloud Platform
Status: Vertex Gemini Api
Vendor: CVE Published:; 10 December 2024

🔔 Create Google Cloud Platform Vulnerability Alert

What is CVE-2024-12236?

A security issue exists in Vertex Gemini API for customers using VPC-SC. By utilizing a custom crafted file URI for image input, data exfiltration is possible due to requests being routed outside the VPC-SC security perimeter, circumventing the intended security restrictions of VPC-SC.

No further fix actions are needed. Google Cloud Platform implemented a fix to return an error message when a media file URL is specified in the fileUri parameter and VPC Service Controls is enabled. Other use cases are unaffected.

Affected Version(s)

Vertex Gemini API 0

References

https://cloud.google.com/vertex-ai/generative-ai/docs/sec...

CVSS V4

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 10, 2024
Vulnerability Reserved
Dec 5, 2024