CVE-2024-4536

{"id": "CVE-2024-4536", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "emo@eclipse.org", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.3, "exploitabilityScore": 1.0}]}, "published": "2024-05-07T13:15:48.513", "references": [{"url": "https://github.com/eclipse-edc/Connector/commit/a4e6018d2c0457fba6f672fafa6c590513c45d1b", "source": "emo@eclipse.org"}, {"url": "https://github.com/eclipse-edc/Connector/releases/tag/v0.6.3", "source": "emo@eclipse.org"}, {"url": "https://gitlab.eclipse.org/security/cve-assignement/-/issues/22", "source": "emo@eclipse.org"}, {"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/198", "source": "emo@eclipse.org"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "emo@eclipse.org", "description": [{"lang": "en", "value": "CWE-201"}, {"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "In Eclipse Dataspace Components from version 0.2.1 to 0.6.2, in the EDC Connector component ( https://github.com/eclipse-edc/Connector ), an attacker might obtain OAuth2 client secrets from the vault.\n\nIn Eclipse Dataspace Components from version 0.2.1 to 0.6.2, we have identified a security vulnerability in the EDC Connector component ( https://github.com/eclipse-edc/Connector ) regarding the OAuth2-protected data sink feature. When using a custom, OAuth2-protected data sink, the OAuth2-specific data address properties are resolved by the provider data plane. Problematically, the consumer-provided clientSecretKey, which indicates the OAuth2 client secret to retrieve from a secrets vault, is resolved in the context of the provider's vault, not the consumer. This secret's value is then sent to the tokenUrl, also consumer-controlled, as part of an OAuth2 client credentials grant. The returned access token is then sent as a bearer token to the data sink URL.\n\nThis feature is now disabled entirely, because not all code paths necessary for a successful realization were fully implemented.\n\n"}], "lastModified": "2024-05-07T13:39:32.710", "sourceIdentifier": "emo@eclipse.org"}