CVE-2024-12236

MEDIUM

Google Vertex Gemini API - Improper Exception Handling

Title source: rule

Description

A security issue exists in Vertex Gemini API for customers using VPC-SC. By utilizing a custom crafted file URI for image input, data exfiltration is possible due to requests being routed outside the VPC-SC security perimeter, circumventing the intended security restrictions of VPC-SC. No further fix actions are needed. Google Cloud Platform implemented a fix to return an error message when a media file URL is specified in the fileUri parameter and VPC Service Controls is enabled. Other use cases are unaffected.

References (1)

[Vendor Advisory] https://cloud.google.com/vertex-ai/generative-ai/docs/security-bulletins#gcp-2024-063

Scores

CVSS v3 5.5

EPSS 0.0005

EPSS Percentile 14.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-755

Status published

Products (1)

google/vertex_gemini_api

Published Dec 10, 2024

Tracked Since Feb 18, 2026