CVE-2024-23838 — HIGH (7.5)

Q: How severe is CVE-2024-23838?

CVE-2024-23838 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-23838?

Check the references section above for vendor advisories and patch information. Affected products include: Truelayer Truelayer.Net.

Vulnerability Description

TrueLayer.NET is the .Net client for TrueLayer. The vulnerability could potentially allow a malicious actor to gain control over the destination URL of the HttpClient used in the API classes. For applications using the SDK, requests to unexpected resources on local networks or to the internet could be made which could lead to information disclosure. The issue can be mitigated by having strict egress rules limiting the destinations to which requests can be made, and applying strict validation to any user input passed to the `truelayer-dotnet` library. Versions of TrueLayer.Client `v1.6.0` and later are not affected.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Truelayer	Truelayer.Net	< 1.6.0

Related Weaknesses (CWE)

CWE-918

References

FAQ

What is CVE-2024-23838?

CVE-2024-23838 is a vulnerability with a CVSS score of 7.5 (HIGH). TrueLayer.NET is the .Net client for TrueLayer. The vulnerability could potentially allow a malicious actor to gain control over the destination URL of the HttpClient used in the API classes. For app...

How severe is CVE-2024-23838?

CVE-2024-23838 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-23838?

Check the references section above for vendor advisories and patch information. Affected products include: Truelayer Truelayer.Net.