#VU127480 Server-Side Request Forgery (SSRF) in TruffleHog - CVE-2024-43379
Published: August 17, 2024 / Updated: April 24, 2026
Vulnerability identifier: #VU127480
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-43379
CWE-ID: CWE-918
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
TruffleHog
TruffleHog
Software vendor:
Truffle Security
Truffle Security
Description
The vulnerability allows a remote attacker to trigger unauthorized requests to attacker-chosen endpoints.
The vulnerability exists due to server-side request forgery in some detectors when scanning maliciously crafted data. A remote attacker can craft data that causes the detector to send a request to an attacker-chosen endpoint to trigger unauthorized requests to attacker-chosen endpoints.
User interaction is required because the victim must scan the crafted data. Exploitation is effective only if the targeted endpoint is an unauthenticated GET endpoint that produces side effects.
Remediation
Install security update from vendor's website.