Vertex Gemini API Data Exfiltration Vulnerability via Custom File URI
CVE-2024-12236 Published on December 10, 2024
Use of Custom URI for media inputs with VPC-SC enabled potentially leads to data exfiltration
A security issue exists in Vertex Gemini API for customers using VPC-SC. By utilizing a custom crafted file URI for image input, data exfiltration is possible due to requests being routed outside the VPC-SC security perimeter, circumventing the intended security restrictions of VPC-SC.
No further fix actions are needed. Google Cloud Platform implemented a fix to return an error message when a media file URL is specified in the fileUri parameter and VPC Service Controls is enabled. Other use cases are unaffected.
Weakness Type
Improper Handling of Exceptional Conditions
The software does not handle or incorrectly handles an exceptional condition.
Products Associated with CVE-2024-12236
Want to know whenever a new CVE is published for Google Vertex Gemini Api? stack.watch will email you.
Affected Versions
Google Cloud Platform Vertex Gemini API Version 0 is affected by CVE-2024-12236Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.