Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-8259-2x72-2gvc

Опубликовано: 11 сент. 2024
Источник: github
Github: Прошло ревью
CVSS4: 5.1
CVSS3: 7.3

Описание

Eclipse Dataspace Components's ConsumerPullTransferTokenValidationApiController doesn't check for token validit

In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.

Ссылки

Пакеты

Наименование

org.eclipse.edc:transfer-data-plane

maven
Затронутые версииВерсия исправления

>= 0.5.0, < 0.9.0

0.9.0

EPSS

Процентиль: 31%
0.00115
Низкий

5.1 Medium

CVSS4

7.3 High

CVSS3

CVE ID

CVE-2024-8642

Дефекты

CWE-287
CWE-303

Связанные уязвимости

nvd логотип

CVE-2024-8642

CVSS3: 8.1
nvd
больше 1 года назад

In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.

fstec логотип

BDU:2024-09481

CVSS3: 8.1
fstec
больше 1 года назад

Уязвимость компонента ConsumerPullTransferTokenValidationApiController программного обеспечения для обработки данных и информационных экосистем Eclipse EDC, позволяющая нарушителю обойти проверку на истечение срока действия токена

EPSS

Процентиль: 31%
0.00115
Низкий

5.1 Medium

CVSS4

7.3 High

CVSS3

CVE ID

CVE-2024-8642

Дефекты

CWE-287
CWE-303