CVE-2024-4399
Published: 23 May 2024
Summary
CVE-2024-4399 is a critical-severity SSRF (CWE-918) vulnerability in Apereo Central Authentication Service. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Service Discovery (T1046); ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-4399 is a server-side request forgery vulnerability (CWE-918) caused by missing validation of a parameter before the software issues a request to the supplied value. The flaw carries a CVSS 3.1 score of 9.1 and affects the component referenced in the associated WPScan entry published on 23 May 2024.
Unauthenticated attackers with network access can supply an arbitrary URL and force the affected software to make an outbound request, resulting in high impact to confidentiality and integrity without any user interaction or privileges.
The linked WPScan advisories describe the issue and are the primary public sources of technical detail and remediation guidance for the vulnerability.
EPSS for the CVE reached a peak of 0.3006 and currently stands at 0.2505, indicating sustained moderate exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-44030
Vulnerability details
The does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attack
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated SSRF in public-facing WordPress theme enables exploitation of the application (T1190) and internal network service discovery by forcing server requests to arbitrary internal endpoints like localhost ports (T1046).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.