CVE-2024-23838 – This vulnerability in TrueLayer.NET SDK allows ... (How to Fix)

Q: What is the severity of CVE-2024-23838?

CVE-2024-23838 has a CVSS score of 7.5 (HIGH). This vulnerability in TrueLayer.NET SDK allows attackers to manipulate HttpClient destination URLs, potentially redirecting API requests to malicious servers. Applications using vulnerable versions of the SDK could have their requests sent to unexpected resources, leading to information disclosure. Only versions before v1.6.0 are affected.

📋 TL;DR

This vulnerability in TrueLayer.NET SDK allows attackers to manipulate HttpClient destination URLs, potentially redirecting API requests to malicious servers. Applications using vulnerable versions of the SDK could have their requests sent to unexpected resources, leading to information disclosure. Only versions before v1.6.0 are affected.

💻 Affected Systems

Products:

TrueLayer.NET SDK (truelayer-dotnet)

Versions: All versions before v1.6.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using the vulnerable SDK versions. The vulnerability requires user input to be passed to the library.

📦 What is this software?

Truelayer.net by Truelayer

View all CVEs affecting Truelayer.net →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete information disclosure of sensitive API data, potential credential theft, and unauthorized access to internal network resources via SSRF.

🟠

Likely Case

Information leakage of API responses to attacker-controlled servers, potentially exposing user data or financial information.

🟢

If Mitigated

Limited impact with proper input validation and network egress controls, potentially no successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires control over user input passed to the SDK. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.6.0

Vendor Advisory: https://github.com/TrueLayer/truelayer-dotnet/security/advisories/GHSA-67m4-qxp3-j6hh

Restart Required: No

Instructions:

1. Update TrueLayer.Client NuGet package to v1.6.0 or later. 2. Run 'dotnet restore' to fetch updated packages. 3. Rebuild and redeploy your application.

🔧 Temporary Workarounds

Implement strict input validation

all

Validate and sanitize all user input before passing it to TrueLayer SDK methods

Network egress restrictions

all

Implement firewall rules to restrict outbound connections from application servers to only authorized TrueLayer API endpoints

🧯 If You Can't Patch

Implement strict input validation on all user inputs passed to TrueLayer SDK
Deploy network egress controls to restrict outbound connections to only authorized TrueLayer endpoints

🔍 How to Verify

Check if Vulnerable:

Check the TrueLayer.Client package version in your project's .csproj file or NuGet package manager. Versions below 1.6.0 are vulnerable.

Check Version:

dotnet list package | findstr TrueLayer.Client

Verify Fix Applied:

Verify the installed TrueLayer.Client package version is 1.6.0 or higher using 'dotnet list package' or checking the .csproj file.

📡 Detection & Monitoring

Log Indicators:

Unexpected outbound HTTP requests from application
Requests to non-TrueLayer domains from TrueLayer SDK
HTTP errors from unexpected destinations

Network Indicators:

Outbound HTTP requests to unexpected IP addresses or domains
Requests to internal network resources from application servers

SIEM Query:

source="application_logs" AND ("TrueLayer" OR "truelayer-dotnet") AND (destination_ip NOT IN ["52.16.0.0/14", "52.222.0.0/16"])

📊 Metadata

CVE ID: CVE-2024-23838

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-918

Published: January 30, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-23838, you might also want to check these: