CVE-2024-12236

Name of the Vulnerable Software and Affected Versions Vertex Gemini API (affected versions not specified)

Description A security issue exists in the Vertex Gemini API for customers using VPC-SC. By utilizing a custom crafted file URI for image input, data exfiltration is possible due to requests being routed outside the VPC-SC security perimeter, circumventing the intended security restrictions of VPC-SC. When a media file URL is specified in the fileUri parameter and VPC Service Controls is enabled, an error message is returned. Other use cases are unaffected.

Recommendations No further fix actions are needed, as Google Cloud Platform implemented a fix to return an error message when a media file URL is specified in the fileUri parameter and VPC Service Controls is enabled. As a temporary workaround, consider restricting the use of custom crafted file URIs for image input until the issue is fully resolved. Avoid using the fileUri parameter with media file URLs when VPC Service Controls is enabled to minimize the risk of exploitation.