8.6

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2024-23838

GHSA ID

GHSA-67m4-qxp3-j6hh

EPSS Score

0.33531%

CWE

CWE-918

Published

1/30/2024

Updated

1/30/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-23838

CVE-2024-23838: TrueLayer.Client SSRF when fetching payment or payment provider

Impact

The vulnerability could potentially allow a malicious actor to gain control over the destination URL of the HttpClient used in the API classes. For applications using the SDK, requests to unexpected resources on local networks or to the internet could be made which could lead to information disclosure.

Patches

Versions of TrueLayer.Client v1.6.0 and later are not affected.

Workarounds

The issue can be mitigated by having strict egress rules limiting the destinations to which requests can be made, and applying strict validation to any user input passed to the TrueLayer.Client library.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-23838

CVE-2024-23838:

8.6

CVSS Score

3.0

-

CVSS Score

Basic Information

CVE ID

CVE-2024-23838

GHSA ID

GHSA-67m4-qxp3-j6hh

EPSS Score

0.33531%

CWE

CWE-918

Published

1/30/2024

Updated

1/30/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
TrueLayer.Client	nuget	< 1.6.0	1.6.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key patterns: 1) API methods accepting arbitrary URIs without validation (ApiClient methods), and 2) ID parameters being used in URI construction without proper sanitization (various API methods). The commit adds critical validation through HasValidBaseUri checks for URIs and NotAUrl checks for ID parameters, directly addressing SSRF vectors. The affected functions are clearly identified through the patch's focus on URI validation in ApiClient and ID sanitization in API implementations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.6

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-23838: TrueLayer.Client SSRF when fetching payment or payment provider

Impact

Patches

Workarounds

CVE-2024-23838:

8.6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2024-23838: TrueLayer.Client SSRF when fetching payment or payment provider

Impact

Patches

Workarounds

Basic Information

Basic Information

8.6

8.6

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI