Miggo Logo
Miggo Vulnerability Database
CVE-2024-43376

CVE-2024-43376: Umbraco CMS vulnerable to Generation of Error Message Containing Sensitive Information

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-43376
GHSA ID
GHSA-77gj-crhp-3gvx
EPSS Score
0.36877%
CWE
CWE-209
Published
8/20/2024
Updated
9/17/2024
KEV Status
No
Technology
TechnologyC#

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
Umbraco.Cms.Api.Managementnuget>= 14.0.0, < 14.1.214.1.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the error handling middleware in ApplicationBuilderExtensions.cs. Before the patch, the code directly set ProblemDetails.Detail to exception.StackTrace and Instance to exception.GetType().Name without checking the debug mode status. The commit diff shows the addition of an 'isDebug' check using IHostingEnvironment.IsDebugMode to conditionally include these fields, confirming the absence of this check was the root cause. The AspNetCoreHostingEnvironment.cs changes (caching debug mode) support proper evaluation but were not the primary vulnerability source. The CWE-209 description and advisory both align with this insecure error message generation pattern.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Som* *n*points in t** M*n***m*nt *PI **n r*turn st**k tr*** in*orm*tion, *v*n w**n Um*r**o is not in ***u* mo**. ### *xpl*n*tion o* t** vuln*r**ility M*n***m*nt *PI *n*points l**k** st**k tr***s in **s* o* Int*rn*l s*rv*r *rrors, no m*tt*

Reasoning

T** vuln*r**ility st*ms *rom t** *rror **n*lin* mi**l*w*r* in *ppli**tion*uil**r*xt*nsions.*s. ***or* t** p*t**, t** *o** *ir**tly s*t Pro*l*m**t*ils.**t*il to *x**ption.St**kTr*** *n* Inst*n** to *x**ption.**tTyp*().N*m* wit*out ****kin* t** ***u* m