medium

GCP Speech to Text Information Disclosure

Published Sun, Jan 12th, 2020

Platforms

Summary

GCP's Speech-to-Text "operations/list" and "operations/get" APIs would return data that did not belong to the caller when no parameters were provided. It is unclear whether this was cross-customer data disclosure, or potentially test or internal data.

Affected Services

GCP Speech-to-Text

Remediation

None required

Tracked CVEs

No tracked CVEs

References

https://www.dcine.com/2020/01/12/information-disclosure-vulnerability-in-the-google-cloud-speech-to-text-api/

Contributed by https://github.com/ramimac

Entry Status

Finalized

Disclosure Date

Tue, Apr 9th, 2019

Exploitability Period

Known ITW Exploitation

Detection Methods

None

Piercing Index Rating

Discovered by

Dan Maas

More vulnerabilities...

low

GCP Stackdriver Debugger SSRF

An SSRF bug in GCP's Stackdriver Debugger feature's code import could have been used to leak the authentication token of the user to an attacker-controlled server. Exploitation would require that t...

Ron ChanDec 19, 2019

medium

GCP Cloudshell Vulnerabilities

Wouter ter Maat discovered 9 vulnerabilities in GCP Cloudshell that could allow an attacker to access resources in another customer's environment.

Wouter ter Maat, OffensiDec 16, 2019

medium

GCP Cloudshell XSS and CSRF bugs

GCP Cloudshell has been affected by various XSS and CSRF vulnerabilities stemming from different root causes related to authentication handling, markdown editing, file uploading and more. Explotiat...

ObmiDec 15, 2019

View all