CVE-2024-8642

CVSS V2 None CVSS V3 None

Description

In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.

Overview

CVE ID
CVE-2024-8642

Assigner
eclipse

Vulnerability Status
PUBLISHED

Published Version
2024-09-11T13:34:28.463Z

Last Modified Date
2024-09-11T14:06:55.373Z

Weakness Enumerations

CWE	URL
CWE-303	http://cwe.mitre.org/data/definitions/303.html
CWE-305	http://cwe.mitre.org/data/definitions/305.html

References

Reference URL	Reference Tags
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/234
https://gitlab.eclipse.org/security/cve-assignement/-/issues/28
https://github.com/eclipse-edc/Connector/commit/04899e91dcdb4a407db4eb7af3e7b6ff9a9e9ad6
https://github.com/eclipse-edc/Connector/releases/tag/v0.9.0

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-8642
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8642

History

Created	Old Value	New Value	Data Type	Notes
2024-09-12 13:05:07				Added to TrackCVE