CVE-2024-23838: 
C# vulnerability analysis and mitigation

TrueLayer.NET, the .Net client for TrueLayer, was found to contain a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2024-23838. The vulnerability was discovered and disclosed on January 30, 2024, affecting all versions of TrueLayer.Client prior to version 1.6.0. This security issue could potentially allow malicious actors to manipulate the destination URL of the HttpClient used in the API classes (GitHub Advisory).

The vulnerability is classified as a Server-Side Request Forgery (SSRF) issue, identified as CWE-918. It received a CVSS v3.1 base score of 7.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) from NVD, while GitHub assessed it with a CVSS v3.0 score of 8.6 HIGH (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N). The vulnerability exists in the API classes' HttpClient implementation, where insufficient validation of destination URLs could lead to unauthorized request forwarding (NVD).

When exploited, this vulnerability could allow attackers to make requests to unexpected resources on local networks or to the internet, potentially leading to information disclosure. The high severity rating reflects the potential for unauthorized access to sensitive information through manipulated requests (GitHub Advisory).

The vulnerability has been fixed in TrueLayer.Client version 1.6.0 and later. For users unable to update immediately, the issue can be mitigated by implementing strict egress rules that limit the destinations to which requests can be made, and by applying strict validation to any user input passed to the truelayer-dotnet library (GitHub Advisory).