Eclipse Dataspace Components 0.5-0.9 Token Expiry Validation Flaw
CVE-2024-8642 Published on September 11, 2024
Eclipse EDC: Consumer pull transfer token validation checks not applied
In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.
Weakness Types
Incorrect Implementation of Authentication Algorithm
The requirements for the software dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect. This incorrect implementation may allow authentication to be bypassed.
Authentication Bypass by Primary Weakness
The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.
Products Associated with CVE-2024-8642
Want to know whenever a new CVE is published for Eclipse Dataspace Components? stack.watch will email you.
Affected Versions
Eclipse Foundation Eclipse EDC Connector:- Version 0.5.0 and below 0.9.0 is affected.
- Version 0.5.0 and below 0.9.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.