CVE-2024-8642 MEDIUM

CVE-2024-8642: Eclipse EDC: Consumer pull transfer token validation checks not applied

Vendor Eclipse Foundation
Product Eclipse EDC Connector
Weakness CWE-303
Published September 11, 2024
Last update September 11, 2024

CVSS base score

5.0/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/RE:L/U:Green

What the vulnerability does

01Description

In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.

Key dates

02Disclosure timeline

September 11, 2024 CVE published
September 11, 2024 Record updated