What Happened
Tenable researchers discovered that the HttpRequestAction feature in Microsoft Copilot Studio could be abused for server-side request forgery. Although the feature blocked sensitive targets like localhost and the cloud metadata endpoint, that protection was bypassed by pointing the request at an attacker server that returned an HTTP redirect to the forbidden hosts. This let researchers reach Azure's Instance Metadata Service and internal Cosmos DB instances.
Impact
The flaw yielded managed-identity access tokens and read/write access to an internal Cosmos DB, with potential cross-tenant infrastructure exposure (CVE-2024-38206, CVSS 8.5, rated critical information disclosure). Microsoft patched it server-side by July 31, 2024, requiring no customer action.
How to Prevent This
- Resolve and re-validate redirect targets so SSRF filters cannot be bypassed via 301/302 responses
- Block access to cloud metadata endpoints and internal IP ranges at the network layer, not just in application logic
- Scope managed identities to least privilege so a leaked token grants minimal reach
- Isolate multi-tenant AI request features from shared internal infrastructure
- Fuzz user-configurable HTTP actions for SSRF during security review