What is the severity of CVE-2024-12236?

CVE-2024-12236 has been rated as a high-severity vulnerability due to potential data exfiltration risks.

How do I fix CVE-2024-12236?

To mitigate CVE-2024-12236, ensure that your Vertex Gemini API configuration adheres to the VPC-SC security parameters and restrict file URI inputs.

Who is affected by CVE-2024-12236?

CVE-2024-12236 affects customers using Google Cloud Platform's Vertex Gemini API with VPC-SC enabled.

What is the impact of CVE-2024-12236?

The impact of CVE-2024-12236 includes the possibility of sensitive data being exfiltrated outside of the intended VPC-SC security perimeter.

How can I prevent data exfiltration related to CVE-2024-12236?

Preventing data exfiltration related to CVE-2024-12236 involves strict validation of file URIs and compliance with VPC-SC policies.

Vulnerability/
CVE-2024-12236

medium

6.8

CWE

755

10/12/2024

30/1/2025

CVE-2024-12236: Use of Custom URI for media inputs with VPC-SC enabled potentially leads to data exfiltration

First published: Tue Dec 10 2024(Updated: )

A security issue exists in Vertex Gemini API for customers using VPC-SC. By utilizing a custom crafted file URI for image input, data exfiltration is possible due to requests being routed outside the VPC-SC security perimeter, circumventing the intended security restrictions of VPC-SC. No further fix actions are needed. Google Cloud Platform implemented a fix to return an error message when a media file URL is specified in the fileUri parameter and VPC Service Controls is enabled. Other use cases are unaffected.

Credit: cve-coordination@google.com

Affected Software	Affected Version	How to fix
Google Cloud Platform Marketplace

Never miss a vulnerability like this again

Reference Links

https://cloud.google.com/vertex-ai/generative-ai/docs/security-bulletins#gcp-2024-063

Frequently Asked Questions

What is the severity of CVE-2024-12236?
CVE-2024-12236 has been rated as a high-severity vulnerability due to potential data exfiltration risks.
How do I fix CVE-2024-12236?
To mitigate CVE-2024-12236, ensure that your Vertex Gemini API configuration adheres to the VPC-SC security parameters and restrict file URI inputs.
Who is affected by CVE-2024-12236?
CVE-2024-12236 affects customers using Google Cloud Platform's Vertex Gemini API with VPC-SC enabled.
What is the impact of CVE-2024-12236?
The impact of CVE-2024-12236 includes the possibility of sensitive data being exfiltrated outside of the intended VPC-SC security perimeter.
How can I prevent data exfiltration related to CVE-2024-12236?
Preventing data exfiltration related to CVE-2024-12236 involves strict validation of file URIs and compliance with VPC-SC policies.

agent/weakness
agent/title
agent/references
agent/type
agent/first-publish-date
agent/description
agent/author
agent/severity
agent/event
agent/source
collector/mitre-cve
source/MITRE
collector/nvd-api
source/NVD
agent/last-modified-date
agent/softwarecombine
agent/tags
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
vendor/google
canonical/google cloud platform marketplace

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.