Undergoing Analysis
CVE has been recently published to the CVE List and has been received by the NVD.
CVE has been recently published to the CVE List and has been received by the NVD.
Products
Eclipse Dataspace Components
- 0.5.0 - 0.8.9
Source
emo@eclipse.org
Tags
CVE-2024-8642 details
Published : Sept. 11, 2024, 2:15 p.m.
Last Modified : Sept. 11, 2024, 4:26 p.m.
Last Modified : Sept. 11, 2024, 4:26 p.m.
Description
In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.
CVSS Score
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-303 | Incorrect Implementation of Authentication Algorithm | The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect. |
References
| URL | Source |
|---|---|
| https://github.com/eclipse-edc/Connector/commit/04899e91dcdb4a407db4eb7af3e7b6ff9a9e9ad6 | emo@eclipse.org |
| https://github.com/eclipse-edc/Connector/releases/tag/v0.9.0 | emo@eclipse.org |
| https://gitlab.eclipse.org/security/cve-assignement/-/issues/28 | emo@eclipse.org |
| https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/234 | emo@eclipse.org |
This website uses the NVD API, but is not approved or certified by it.