FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-38109

Server-Side Request Forgery (SSRF) (CWE-918)

Published: Aug 13, 2024

010
CVSS 9.1EPSS 0.09%Critical
CVE info copied to clipboard

Summary

An authenticated attacker can exploit a Server-Side Request Forgery (SSRF) vulnerability in Microsoft Azure Health Bot to elevate privileges over a network.

Impact

This vulnerability allows an authenticated attacker to potentially gain unauthorized access to sensitive information or execute unauthorized actions on behalf of the Azure Health Bot service. The impact is severe, with a CVSS base score of 8.8 (High). The vulnerability affects confidentiality, integrity, and availability, all rated as High. This indicates that an attacker could access sensitive data, modify data, and potentially disrupt the availability of the service.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Microsoft has released an official fix for this vulnerability on August 13, 2024.

Mitigation

1. Apply the official patch released by Microsoft as soon as possible. 2. Implement network segmentation and access controls to limit potential SSRF attacks. 3. Monitor for suspicious network activity related to Azure Health Bot. 4. Ensure that authentication mechanisms are robust and regularly audited. 5. Consider implementing additional security measures such as Web Application Firewalls (WAF) to help detect and prevent SSRF attempts.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C

Timeline

First Article

Feedly found the first article mentioning CVE-2024-38109. See article

Aug 13, 2024 at 2:46 PM / #infosec
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Aug 13, 2024 at 5:33 PM
CVSS

A CVSS base score of 9.1 has been assigned.

Aug 13, 2024 at 5:35 PM / microsoft
CVE Assignment

NVD published the first details for CVE-2024-38109

Aug 13, 2024 at 6:15 PM
Threat Intelligence Report

CVE-2024-38109 is a critical elevation of privilege vulnerability affecting Azure Health Bot, with a CVSSv3 score of 9.1. The vulnerability was discovered by Tenable researcher Jimi Sebree and has been patched by Microsoft. No action is required for users, and there are no known proof-of-concept exploits or downstream impacts to other vendors or technologies. See article

Aug 13, 2024 at 7:15 PM
EPSS

EPSS Score was set to: 0.09% (Percentile: 40.8%)

Nov 19, 2024 at 3:57 PM
Static CVE Timeline Graph

Affected Systems

Microsoft/azure_health_bot
+null more

Patches

Microsoft
+null more

Attack Patterns

CAPEC-664: Server Side Request Forgery
+null more

References

CVE-2024-38109 - セキュリティ更新プログラム ガイド - Azure Health Bot の特権昇格の脆弱性
Google Alert - 脆弱性 / 2mo
Azure Health Bot の特権昇格の 脆弱性 New. On this page . CVE-2024-38109. Connect . Security Vulnerability. Released: 2024年8月13日. Assigning CNA ...
Microsoft August 2024 Security Updates
NCSC-FI vulnerabilities summary 2024-08-13 / 3mo
Classification: Critical, Solution: Official Fix, Exploit Maturity: High, CVSSv3.1: 9.8, CVEs: CVE-2024-21302, CVE-2024-29995, CVE-2024-37968, CVE-2024-38063, CVE-2024-38084, CVE-2024-38098, CVE-2024-38106, CVE-2024-38107, CVE-2024-38108, CVE-2024-38109, CVE-2024-38114, CVE-2024-38115, CVE-2024-38116, CVE-2024-38117, CVE-2024-38118, CVE-2024-38120, CVE-2024-38121, CVE-2024-38122, CVE-2024-38123, CVE-2024-38125 (+82 other associated CVEs), Summary: https://www.bleepingcomputer.com/news/microsoft/microsoft-august-2024-patch-tuesday-fixes-9-zero-days-6-exploited/ Today is Microsoft's August 2024 Patch Tuesday, which includes security updates for 89 flaws, including six actively exploited and three publicly disclosed zero-days. Microsoft is still working on an update for a tenth publicly disclosed zero-day. This Patch Tuesday fixed eight critical vulnerabilities, which were a mixture of elevation of privileges, remote code execution, and information disclosure. The number of bugs in each vulnerability category is listed below:
Azure Health Bot Elevation of Privilege Vulnerability
Microsoft Security Advisories - MSRC / 3mo
An authenticated attacker can exploit an Server-Side Request Forgery (SSRF) vulnerability in Microsoft Azure Health Bot to elevate privileges over a network. Please see Toward greater transparency: Unveiling Cloud Service CVEs for more information.
See 8 more references

News

August 2024 Patch Tuesday: Six Zero-Days and Six Critical Vulnerabilities Amid 85 CVEs
Recent-Articles / 49d
Severity CVSS Score CVE Description Important 7.8 CVE-2024-38193 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Severity CVSS Score CVE Description Important 8.8 CVE-2024-38189 Microsoft Project Remote Code Execution Vulnerability
Security & Threat Updates – September 2024:
Fortress SRM / 2mo
Microsoft addressed 79 Common Vulnerabilities and Exposures (CVE’s) this month, 4 which were marked as zero-day vulnerabilities. The most critical Common Vulnerabilities and Exposures (CVE’s) are noted below:
Microsoft’s September 2024 Patch Tuesday Update Fixes 79 Vulnerabilities
News – Petri IT Knowledgebase / 2mo
Microsoft addressed 79 vulnerabilities in September 2024 Patch Tuesday, with 7 critical flaws in components like Windows, Office, and SharePoint. Microsoft released yesterday the September 2024 Patch Tuesday updates for all supported versions of Windows 10 and Windows 11.
CVE-2024-38109 - セキュリティ更新プログラム ガイド - Azure Health Bot の特権昇格の脆弱性
Google Alert - 脆弱性 / 2mo
Azure Health Bot の特権昇格の 脆弱性 New. On this page . CVE-2024-38109. Connect . Security Vulnerability. Released: 2024年8月13日. Assigning CNA ...
Microsoft Patches Critical Copilot Studio Vulnerability Exposing Sensitive Data
Cyber Security News Aggregator / 2mo
Summary: A critical security vulnerability (CVE-2024-38206) in Microsoft’s Copilot Studio allows authenticated attackers to exploit server-side request forgery (SSRF) to leak sensitive information. “An authenticated attacker can bypass Server-Side Request Forgery (SSRF) protection in Microsoft Copilot Studio to leak sensitive information over a network,” Microsoft said in an advisory released on August 6, 2024.
See 97 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:High

Categories

CVSS 9.1(27010)CWE-918(1286)Microsoft(12100)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial