CVE-2024-8642

In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.
Configurations

Configuration 1 (hide)

cpe:2.3:a:eclipse:eclipse_dataspace_components:*:*:*:*:*:*:*:*

History

19 Sep 2024, 15:18

Type Values Removed Values Added
References () https://github.com/eclipse-edc/Connector/commit/04899e91dcdb4a407db4eb7af3e7b6ff9a9e9ad6 - () https://github.com/eclipse-edc/Connector/commit/04899e91dcdb4a407db4eb7af3e7b6ff9a9e9ad6 - Patch
References () https://github.com/eclipse-edc/Connector/releases/tag/v0.9.0 - () https://github.com/eclipse-edc/Connector/releases/tag/v0.9.0 - Release Notes
References () https://gitlab.eclipse.org/security/cve-assignement/-/issues/28 - () https://gitlab.eclipse.org/security/cve-assignement/-/issues/28 - Issue Tracking
References () https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/234 - () https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/234 - Vendor Advisory
Summary
  • (es) En Eclipse Dataspace Components, desde la versión 0.5.0 y antes de la versión 0.9.0, el ConsumerPullTransferTokenValidationApiController no comprueba la validez del token (vencimiento, fecha anterior, fecha de emisión), lo que puede permitir que un atacante omita la comprobación de vencimiento del token. El problema requiere tener un plano de datos configurado para admitir la extracción del consumidor del proxy http E incluir el módulo "transfer-data-plane". El código afectado se marcó como obsoleto desde la versión 0.6.0 a favor de la señalización del plano de datos. En la versión 0.9.0, se eliminó el código vulnerable.
CPE cpe:2.3:a:eclipse:eclipse_dataspace_components:*:*:*:*:*:*:*:*
CWE CWE-287
First Time Eclipse eclipse Dataspace Components
Eclipse
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.1

11 Sep 2024, 14:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-11 14:15

Updated : 2024-09-19 15:18


NVD link : CVE-2024-8642

Mitre link : CVE-2024-8642

CVE.ORG link : CVE-2024-8642


JSON object : View

Products Affected

eclipse

  • eclipse_dataspace_components
CWE
CWE-287

Improper Authentication

CWE-303

Incorrect Implementation of Authentication Algorithm

CWE-305

Authentication Bypass by Primary Weakness