cve-2024-8642
Vulnerability from cvelistv5
Published
2024-09-11 13:34
Modified
2024-09-11 14:06
Severity ?
5.1 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/RE:L/U:Green
Summary
In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.
References
emo@eclipse.orghttps://github.com/eclipse-edc/Connector/commit/04899e91dcdb4a407db4eb7af3e7b6ff9a9e9ad6Patch
emo@eclipse.orghttps://github.com/eclipse-edc/Connector/releases/tag/v0.9.0Release Notes
emo@eclipse.orghttps://gitlab.eclipse.org/security/cve-assignement/-/issues/28Issue Tracking
emo@eclipse.orghttps://gitlab.eclipse.org/security/vulnerability-reports/-/issues/234Vendor Advisory
Impacted products
Vendor Product Version
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:eclipse_foundation:edc:0.5.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "edc",
            "vendor": "eclipse_foundation",
            "versions": [
              {
                "lessThan": "0.9.0",
                "status": "affected",
                "version": "0.5.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-8642",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-11T14:03:51.264915Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T14:06:55.373Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2/",
          "defaultStatus": "unaffected",
          "modules": [
            "transfer-data-plane"
          ],
          "packageName": "org.eclipse.edc:transfer-data-plane",
          "product": "Eclipse EDC Connector",
          "repo": "https://github.com/eclipse-edc/Connector",
          "vendor": "Eclipse Foundation",
          "versions": [
            {
              "lessThan": "0.9.0",
              "status": "affected",
              "version": "0.5.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module \"transfer-data-plane\". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed."
            }
          ],
          "value": "In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module \"transfer-data-plane\". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "HIGH",
            "providerUrgency": "GREEN",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/RE:L/U:Green",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-303",
              "description": "CWE-303",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-305",
              "description": "CWE-305",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-11T13:34:28.463Z",
        "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "shortName": "eclipse"
      },
      "references": [
        {
          "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/234"
        },
        {
          "url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/28"
        },
        {
          "url": "https://github.com/eclipse-edc/Connector/commit/04899e91dcdb4a407db4eb7af3e7b6ff9a9e9ad6"
        },
        {
          "url": "https://github.com/eclipse-edc/Connector/releases/tag/v0.9.0"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Eclipse EDC: Consumer pull transfer token validation checks not applied",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
    "assignerShortName": "eclipse",
    "cveId": "CVE-2024-8642",
    "datePublished": "2024-09-11T13:34:28.463Z",
    "dateReserved": "2024-09-10T06:20:33.205Z",
    "dateUpdated": "2024-09-11T14:06:55.373Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:eclipse:eclipse_dataspace_components:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"0.5.0\", \"versionEndExcluding\": \"0.9.0\", \"matchCriteriaId\": \"2888B4A6-45F7-4AA7-A1B5-13AA28E245D0\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module \\\"transfer-data-plane\\\". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.\"}, {\"lang\": \"es\", \"value\": \"En Eclipse Dataspace Components, desde la versi\\u00f3n 0.5.0 y antes de la versi\\u00f3n 0.9.0, el ConsumerPullTransferTokenValidationApiController no comprueba la validez del token (vencimiento, fecha anterior, fecha de emisi\\u00f3n), lo que puede permitir que un atacante omita la comprobaci\\u00f3n de vencimiento del token. El problema requiere tener un plano de datos configurado para admitir la extracci\\u00f3n del consumidor del proxy http E incluir el m\\u00f3dulo \\\"transfer-data-plane\\\". El c\\u00f3digo afectado se marc\\u00f3 como obsoleto desde la versi\\u00f3n 0.6.0 a favor de la se\\u00f1alizaci\\u00f3n del plano de datos. En la versi\\u00f3n 0.9.0, se elimin\\u00f3 el c\\u00f3digo vulnerable.\"}]",
      "id": "CVE-2024-8642",
      "lastModified": "2024-09-19T15:18:47.917",
      "metrics": "{\"cvssMetricV40\": [{\"source\": \"emo@eclipse.org\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"4.0\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:L/U:Green\", \"baseScore\": 5.0, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"HIGH\", \"userInteraction\": \"NONE\", \"vulnerableSystemConfidentiality\": \"NONE\", \"vulnerableSystemIntegrity\": \"NONE\", \"vulnerableSystemAvailability\": \"NONE\", \"subsequentSystemConfidentiality\": \"HIGH\", \"subsequentSystemIntegrity\": \"HIGH\", \"subsequentSystemAvailability\": \"NONE\", \"exploitMaturity\": \"NOT_DEFINED\", \"confidentialityRequirements\": \"NOT_DEFINED\", \"integrityRequirements\": \"NOT_DEFINED\", \"availabilityRequirements\": \"NOT_DEFINED\", \"modifiedAttackVector\": \"NOT_DEFINED\", \"modifiedAttackComplexity\": \"NOT_DEFINED\", \"modifiedAttackRequirements\": \"NOT_DEFINED\", \"modifiedPrivilegesRequired\": \"NOT_DEFINED\", \"modifiedUserInteraction\": \"NOT_DEFINED\", \"modifiedVulnerableSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedVulnerableSystemIntegrity\": \"NOT_DEFINED\", \"modifiedVulnerableSystemAvailability\": \"NOT_DEFINED\", \"modifiedSubsequentSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedSubsequentSystemIntegrity\": \"NOT_DEFINED\", \"modifiedSubsequentSystemAvailability\": \"NOT_DEFINED\", \"safety\": \"NOT_DEFINED\", \"automatable\": \"NOT_DEFINED\", \"recovery\": \"NOT_DEFINED\", \"valueDensity\": \"NOT_DEFINED\", \"vulnerabilityResponseEffort\": \"LOW\", \"providerUrgency\": \"GREEN\"}}], \"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.2}]}",
      "published": "2024-09-11T14:15:14.177",
      "references": "[{\"url\": \"https://github.com/eclipse-edc/Connector/commit/04899e91dcdb4a407db4eb7af3e7b6ff9a9e9ad6\", \"source\": \"emo@eclipse.org\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/eclipse-edc/Connector/releases/tag/v0.9.0\", \"source\": \"emo@eclipse.org\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://gitlab.eclipse.org/security/cve-assignement/-/issues/28\", \"source\": \"emo@eclipse.org\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/234\", \"source\": \"emo@eclipse.org\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "emo@eclipse.org",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"emo@eclipse.org\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-303\"}, {\"lang\": \"en\", \"value\": \"CWE-305\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-287\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-8642\",\"sourceIdentifier\":\"emo@eclipse.org\",\"published\":\"2024-09-11T14:15:14.177\",\"lastModified\":\"2024-09-19T15:18:47.917\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module \\\"transfer-data-plane\\\". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.\"},{\"lang\":\"es\",\"value\":\"En Eclipse Dataspace Components, desde la versi\u00f3n 0.5.0 y antes de la versi\u00f3n 0.9.0, el ConsumerPullTransferTokenValidationApiController no comprueba la validez del token (vencimiento, fecha anterior, fecha de emisi\u00f3n), lo que puede permitir que un atacante omita la comprobaci\u00f3n de vencimiento del token. El problema requiere tener un plano de datos configurado para admitir la extracci\u00f3n del consumidor del proxy http E incluir el m\u00f3dulo \\\"transfer-data-plane\\\". El c\u00f3digo afectado se marc\u00f3 como obsoleto desde la versi\u00f3n 0.6.0 a favor de la se\u00f1alizaci\u00f3n del plano de datos. En la versi\u00f3n 0.9.0, se elimin\u00f3 el c\u00f3digo vulnerable.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"emo@eclipse.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:L/U:Green\",\"baseScore\":5.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"vulnerableSystemConfidentiality\":\"NONE\",\"vulnerableSystemIntegrity\":\"NONE\",\"vulnerableSystemAvailability\":\"NONE\",\"subsequentSystemConfidentiality\":\"HIGH\",\"subsequentSystemIntegrity\":\"HIGH\",\"subsequentSystemAvailability\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirements\":\"NOT_DEFINED\",\"integrityRequirements\":\"NOT_DEFINED\",\"availabilityRequirements\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnerableSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedVulnerableSystemIntegrity\":\"NOT_DEFINED\",\"modifiedVulnerableSystemAvailability\":\"NOT_DEFINED\",\"modifiedSubsequentSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedSubsequentSystemIntegrity\":\"NOT_DEFINED\",\"modifiedSubsequentSystemAvailability\":\"NOT_DEFINED\",\"safety\":\"NOT_DEFINED\",\"automatable\":\"NOT_DEFINED\",\"recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"LOW\",\"providerUrgency\":\"GREEN\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"emo@eclipse.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-303\"},{\"lang\":\"en\",\"value\":\"CWE-305\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:eclipse_dataspace_components:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.5.0\",\"versionEndExcluding\":\"0.9.0\",\"matchCriteriaId\":\"2888B4A6-45F7-4AA7-A1B5-13AA28E245D0\"}]}]}],\"references\":[{\"url\":\"https://github.com/eclipse-edc/Connector/commit/04899e91dcdb4a407db4eb7af3e7b6ff9a9e9ad6\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/eclipse-edc/Connector/releases/tag/v0.9.0\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://gitlab.eclipse.org/security/cve-assignement/-/issues/28\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/234\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-8642\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-09-11T14:03:51.264915Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:eclipse_foundation:edc:0.5.0:*:*:*:*:*:*:*\"], \"vendor\": \"eclipse_foundation\", \"product\": \"edc\", \"versions\": [{\"status\": \"affected\", \"version\": \"0.5.0\", \"lessThan\": \"0.9.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-09-11T14:06:44.769Z\"}}], \"cna\": {\"title\": \"Eclipse EDC: Consumer pull transfer token validation checks not applied\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 5, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/RE:L/U:Green\", \"providerUrgency\": \"GREEN\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/eclipse-edc/Connector\", \"vendor\": \"Eclipse Foundation\", \"modules\": [\"transfer-data-plane\"], \"product\": \"Eclipse EDC Connector\", \"versions\": [{\"status\": \"affected\", \"version\": \"0.5.0\", \"lessThan\": \"0.9.0\", \"versionType\": \"semver\"}], \"packageName\": \"org.eclipse.edc:transfer-data-plane\", \"collectionURL\": \"https://repo.maven.apache.org/maven2/\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/234\"}, {\"url\": \"https://gitlab.eclipse.org/security/cve-assignement/-/issues/28\"}, {\"url\": \"https://github.com/eclipse-edc/Connector/commit/04899e91dcdb4a407db4eb7af3e7b6ff9a9e9ad6\"}, {\"url\": \"https://github.com/eclipse-edc/Connector/releases/tag/v0.9.0\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module \\\"transfer-data-plane\\\". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module \\\"transfer-data-plane\\\". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-303\", \"description\": \"CWE-303\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-305\", \"description\": \"CWE-305\"}]}], \"providerMetadata\": {\"orgId\": \"e51fbebd-6053-4e49-959f-1b94eeb69a2c\", \"shortName\": \"eclipse\", \"dateUpdated\": \"2024-09-11T13:34:28.463Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-8642\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-11T14:06:55.373Z\", \"dateReserved\": \"2024-09-10T06:20:33.205Z\", \"assignerOrgId\": \"e51fbebd-6053-4e49-959f-1b94eeb69a2c\", \"datePublished\": \"2024-09-11T13:34:28.463Z\", \"assignerShortName\": \"eclipse\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.