CVE-2024-12236 MEDIUM

CVE-2024-12236: Use of Custom URI for media inputs with VPC-SC enabled potentially leads to data exfiltration

Vendor Google Cloud Platform
Product Vertex Gemini API
Weakness CWE-755
Published December 10, 2024
Last update January 30, 2025

CVSS base score

6.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

What the vulnerability does

01Description

A security issue exists in Vertex Gemini API for customers using VPC-SC. By utilizing a custom crafted file URI for image input, data exfiltration is possible due to requests being routed outside the VPC-SC security perimeter, circumventing the intended security restrictions of VPC-SC. No further fix actions are needed. Google Cloud Platform implemented a fix to return an error message when a media file URL is specified in the fileUri parameter and VPC Service Controls is enabled. Other use cases are unaffected.

Key dates

02Disclosure timeline

December 10, 2024 CVE published
January 30, 2025 Record updated