Stay organized with collections
Save and categorize content based on your preferences.
The following describes all security bulletins related to
Vertex AI.
GCP-2024-063
Published: 2024-12-06
Description
Severity
Notes
A vulnerability was discovered in the Vertex AI API serving Gemini
multimodal requests, allowing bypass of
VPC Service Controls.
An attacker may be able to abuse the
fileURI
parameter of the API to exfiltrate data.
What should I do?
No actions needed. We've implemented a fix to return an error message when a
media file URL is specified in the fileUri parameter and VPC Service Controls
is enabled. Other use cases are unaffected.
What vulnerabilities are being addressed?
The Vertex AI API serving Gemini multimodal requests lets you
include media files by specifying the URL of the media file in the
fileUri parameter. This capability can be used to bypass
VPC Service Controls perimeters. An attacker inside the service perimeter
could encode sensitive data in the fileURI parameter to bypass
the service perimeter.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2024-12-20 UTC."],[],[]]