CVE-2024-8642

Sept. 19, 2024, 3:18 p.m.

8.1
High

Description

In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.

Product(s) Impacted

Vendor Product Versions
Eclipse
  • Eclipse Dataspace Components
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-287
Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-303
Incorrect Implementation of Authentication Algorithm
The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a eclipse eclipse_dataspace_components / / / / / / / /

References

https://github.com/eclipse-edc/Connector/commit/04899e91dcdb4a407db4eb7af3e7b6ff9a9e9ad6
https://github.com/eclipse-edc/Connector/releases/tag/v0.9.0
https://gitlab.eclipse.org/security/cve-assignement/-/issues/28
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/234

Tags

CWE-303
CWE-287
emo@eclipse.org
2024-09-11
CVE-2024-8642

CVSS Score

8.1 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

    View Vector String

Timeline

Published: Sept. 11, 2024, 2:15 p.m.
Last Modified: Sept. 19, 2024, 3:18 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

emo@eclipse.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.