medium

GCP Speech to Text Information Disclosure

Published Sun, Jan 12th, 2020

Platforms

Summary

GCP's Speech-to-Text "operations/list" and "operations/get" APIs would return data that did not belong to the caller when no parameters were provided. It is unclear whether this was cross-customer data disclosure, or potentially test or internal data.

Affected Services

GCP Speech-to-Text

Remediation

null

Tracked CVEs

No tracked CVEs

References

https://www.dcine.com/2020/01/12/information-disclosure-vulnerability-in-the-google-cloud-speech-to-text-api/

Contributed by https://github.com/ramimac

Disclosure Date

Tue, Apr 9th, 2019

Exploitablity Period

Known ITW Exploitation

Detection Methods

Piercing Index Rating

Discovered by

Dan Maas

More vulnerabilities...

low

GCP Stackdriver Debugger SSRF

An SSRF bug in GCP's Stackdriver Debugger feature's code import could have been used to leak the authentication token of the user to an attacker-controlled server. Exploitation would require that t...

Ron Chan

Thu, Dec 19th, 2019

medium

GCP Cloudshell Vulnerabilities

Wouter ter Maat discovered 9 vulnerabilities in GCP Cloudshell that could allow an attacker to access resources in another customer's environment.

Wouter ter Maat, Offensi

Mon, Dec 16th, 2019

medium

GCP Cloudshell XSS and CSRF bugs

GCP Cloudshell has been affected by various XSS and CSRF vulnerabilities stemming from different root causes related to authentication handling, markdown editing, file uploading and more. Explotiat...

Obmi

Sun, Dec 15th, 2019

View all