Eclipse Dataspace Components
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Eclipse Dataspace Components.
By the Year
In 2026 there have been 0 vulnerabilities in Eclipse Dataspace Components. Eclipse Dataspace Components did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 2 | 6.70 |
It may take a day or so for new Eclipse Dataspace Components vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Eclipse Dataspace Components Security Vulnerabilities
Eclipse Dataspace Connector 0.1.30.9.0 Data Offer Disclosure Vulnerability
CVE-2024-9202
5.3 - Medium
- September 27, 2024
In Eclipse Dataspace Components versions 0.1.3 to 0.9.0, the Connector component filters which datasets (= data offers) another party can see in a requested catalog, to ensure that only authorized parties are able to view restricted offers. However, there is the possibility to request a single dataset, which should be subject to the same filtering process, but currently is missing the correct filtering. This enables parties to potentially see datasets they should not have access to, thereby exposing sensitive information. Exploiting this vulnerability requires knowing the ID of a restricted dataset, but some IDs may be guessed by trying out many IDs in an automated way. Affected code: DatasetResolverImpl, L76-79 https://github.com/eclipse-edc/Connector/blob/v0.9.0/core/control-plane/control-plane-catalog/src/main/java/org/eclipse/edc/connector/controlplane/catalog/DatasetResolverImpl.java
AuthZ
Eclipse Dataspace Components 0.5-0.9 Token Expiry Validation Flaw
CVE-2024-8642
8.1 - High
- September 11, 2024
In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.
authentification
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Eclipse Dataspace Components or by Eclipse? Click the Watch button to subscribe.
