Bypassing SSRF Protection Leaks Sensitive Information

CVE-2024-38206

8.5HIGH

Key Information

Vendor: Microsoft
Status: Microsoft Copilot Studio
Vendor: CVE Published:; 6 August 2024

Badges

😄 Trended👾 Exploit Exists📰 News Worthy

Summary

The vulnerability CVE-2024-38206 in Microsoft's Copilot Studio tool allows an attacker to bypass Server-Side Request Forgery (SSRF) protection and leak sensitive cloud-based information across multiple tenants within cloud environments. The flaw can be exploited to access Microsoft's internal infrastructure and other internal hosts unrestricted on the local subnet. While the exploit has been mitigated, the potential impact on cloud data and services for multiple customers underscores the seriousness of the vulnerability. This vulnerability highlights the potential for attackers to abuse the tool's HTTP-request feature to gain elevated access to cloud data and resources.

Affected Version(s)

Microsoft Copilot Studio =

News Articles

CVE-2024-38206

Microsoft Copilot Studio Exploit Leaks Sensitive Cloud Data

A server-side request forgery (SSRF) bug in Microsoft's tool for creating custom AI chatbots potentially exposed info across multiple tenants within cloud environments.

1 month ago

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit exists.
Sep 10, 2024
Risk change from: 6.5 to: 8.5 - (HIGH)
Aug 23, 2024
Vulnerability started trending.
Aug 22, 2024
First article discovered by null
Aug 21, 2024
Risk change from: 6.5 to: 8.5 - (HIGH)
Aug 13, 2024
Vulnerability published.
Aug 6, 2024

Collectors

NVD DatabaseMitre DatabaseMicrosoft Feed1 News Article(s)