FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-38206

Server-Side Request Forgery (SSRF) (CWE-918)

Published: Aug 6, 2024

010
CVSS 8.5EPSS 0.06%High
CVE info copied to clipboard

Summary

An authenticated attacker can bypass Server-Side Request Forgery (SSRF) protection in Microsoft Copilot Studio to leak sensitive information over a network. This vulnerability has a CVSS base score of 6.5, indicating medium severity. The attack vector is network-based, requires low attack complexity, and low privileges, with no user interaction needed. The confidentiality impact is rated as high, while the integrity and availability impacts are none.

Impact

This vulnerability could allow an authenticated attacker to bypass SSRF protection in Microsoft Copilot Studio, potentially leading to the leakage of sensitive information over a network. The confidentiality impact is high, which means attackers could access and exfiltrate sensitive data. However, the integrity and availability of the system are not directly affected. The attack is network-based and does not require user interaction, making it potentially easier for attackers to exploit remotely.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Microsoft has released an official fix for this vulnerability. The patch was added on August 6, 2024. It is crucial for the security team to apply this patch as soon as possible to mitigate the risk.

Mitigation

1. Apply the official patch released by Microsoft as soon as possible. 2. Limit network access to Microsoft Copilot Studio to trusted users only. 3. Implement strong authentication mechanisms to prevent unauthorized access. 4. Monitor for any suspicious network activities or data exfiltration attempts. 5. Regularly review and update access controls for Microsoft Copilot Studio. 6. Implement network segmentation to isolate sensitive resources that could be targeted through this vulnerability.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C

Timeline

CVSS

A CVSS base score of 8.5 has been assigned.

Aug 6, 2024 at 9:45 PM / microsoft
First Article

Feedly found the first article mentioning CVE-2024-38206. See article

Aug 6, 2024 at 9:48 PM / Microsoft Security Advisories - MSRC
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Aug 6, 2024 at 9:48 PM
CVE Assignment

NVD published the first details for CVE-2024-38206

Aug 6, 2024 at 10:15 PM
CVSS

A CVSS base score of 6.5 has been assigned.

Aug 12, 2024 at 6:35 PM / nvd
Threat Intelligence Report

CVE-2024-38206 is a critical severity information disclosure vulnerability affecting Microsoft’s Copilot Studio, with a CVSSv3 score of 8.5. The vulnerability could be exploited by an authenticated attacker to bypass SSRF protections and leak sensitive information. Microsoft has released a patch for this vulnerability, and no user action is required. See article

Aug 13, 2024 at 7:15 PM
EPSS

EPSS Score was set to: 0.09% (Percentile: 39.6%)

Nov 19, 2024 at 4:47 PM
Static CVE Timeline Graph

Affected Systems

Microsoft/copilot_studio
+null more

Patches

Microsoft
+null more

Attack Patterns

CAPEC-664: Server Side Request Forgery
+null more

References

Microsoft August 2024 Security Updates
NCSC-FI vulnerabilities summary 2024-08-13 / 3mo
Classification: Critical, Solution: Official Fix, Exploit Maturity: High, CVSSv3.1: 9.8, CVEs: CVE-2024-21302, CVE-2024-29995, CVE-2024-37968, CVE-2024-38063, CVE-2024-38084, CVE-2024-38098, CVE-2024-38106, CVE-2024-38107, CVE-2024-38108, CVE-2024-38109, CVE-2024-38114, CVE-2024-38115, CVE-2024-38116, CVE-2024-38117, CVE-2024-38118, CVE-2024-38120, CVE-2024-38121, CVE-2024-38122, CVE-2024-38123, CVE-2024-38125 (+82 other associated CVEs), Summary: https://www.bleepingcomputer.com/news/microsoft/microsoft-august-2024-patch-tuesday-fixes-9-zero-days-6-exploited/ Today is Microsoft's August 2024 Patch Tuesday, which includes security updates for 89 flaws, including six actively exploited and three publicly disclosed zero-days. Microsoft is still working on an update for a tenth publicly disclosed zero-day. This Patch Tuesday fixed eight critical vulnerabilities, which were a mixture of elevation of privileges, remote code execution, and information disclosure. The number of bugs in each vulnerability category is listed below:
CVE-2024-38206 - Security Update Guide - Microsoft - Microsoft Copilot Studio Information Disclosure Vulnerability
Microsoft Security Response Center / 3mo
This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. It refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component.
Microsoft Copilot Studio Information Disclosure Vulnerability
Microsoft Security Advisories - MSRC / 3mo
An authenticated attacker can bypass Server-Side Request Forgery (SSRF) protection in Microsoft Copilot Studio to leak sensitive information over a network. Please see Toward greater transparency: Unveiling Cloud Service CVEs for more information.
See 13 more references

News

Should I be worried about CVE-2024-38206
Top posts on r/microsoft / 2mo
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-38206 My org uses copilot a lot especially with sensitive info. submitted by /u/swiftninja_ [link] [comments]
Microsoft’s September 2024 Patch Tuesday Update Fixes 79 Vulnerabilities
News – Petri IT Knowledgebase / 2mo
Microsoft addressed 79 vulnerabilities in September 2024 Patch Tuesday, with 7 critical flaws in components like Windows, Office, and SharePoint. Microsoft released yesterday the September 2024 Patch Tuesday updates for all supported versions of Windows 10 and Windows 11.
Critical server-side vulnerability in Microsoft Copilot Studio gives illegal access to internal infrastructure
TechRadar - All the latest technology news / 2mo
This flaw, identified as a server-side request forgery (SSRF), allows unauthorized access to internal infrastructure, potentially impacting multiple tenants. In the case of Copilot Studio, the SSRF vulnerability could have been exploited to access Microsoft’s Instance Metadata Service (IMDS).
@iototsecnews: Microsoft Copilot Studio の脆弱性 CVE-2024-38206:深刻な情報漏洩を修正 #AIML #Cloud #Copilot #Microsoft #SSRF #Tenable #Vulnerability
ssrf twitter / 2mo
Microsoft Copilot Studio の脆弱性 CVE-2024-38206:深刻な情報漏洩を修正 https://t.co/lZ3XgXZig6 #AIML #Cloud #Copilot #Microsoft #SSRF #Tenable #Vulnerability — iototsecnews (@iototsecnews) August 29, 2024
Microsoft Copilot Studio Vulnerability Could Expose Sensitive Data - Cyber Security News
"microsoft ai" - Google News / 2mo
According to a recent post from Tenable, a serious server-side request forgery (SSRF) vulnerability impacted the security of Microsoft Copilot Studio. Specifically, a critical SSRF vulnerability affected the Microsoft Copilot Studio, which could expose sensitive internal data to an adversary.
See 128 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Changed
Confidentiality:High
Integrity:Low
Availability Impact:None

Categories

CVSS 8.5(18246)CWE-918(1286)Microsoft(12100)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial