CVE-2024-23838

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-23838

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23838.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-23838

Aliases

GHSA-67m4-qxp3-j6hh

Published

2024-01-30T17:15:11Z

Modified

2024-05-15T01:19:41.654049Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

TrueLayer.NET is the .Net client for TrueLayer. The vulnerability could potentially allow a malicious actor to gain control over the destination URL of the HttpClient used in the API classes. For applications using the SDK, requests to unexpected resources on local networks or to the internet could be made which could lead to information disclosure. The issue can be mitigated by having strict egress rules limiting the destinations to which requests can be made, and applying strict validation to any user input passed to the truelayer-dotnet library. Versions of TrueLayer.Client v1.6.0 and later are not affected.

References

Affected packages

Git / github.com/truelayer/truelayer-dotnet

Affected ranges

Type: GIT
Repo: https://github.com/truelayer/truelayer-dotnet
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

75e436ed5360faa73d6e7ce3a9903a3c49505e3e

Affected versions

0.*

0.1.0

0.1.0-beta.1

0.1.1

0.2.0

0.2.1

0.2.1-beta1

0.2.1-beta2

0.2.1-beta3

0.2.2

0.2.3

0.3.0

0.3.0-alpha0

0.3.1

0.3.1-beta1

0.3.2

0.3.3

1.*

1.0.0

1.1.0

1.1.0-beta1

1.2.0

1.2.1

1.3.0

1.3.1

1.3.2

1.4.0

1.5.0

1.5.0-beta1