Eclipse Dataspace Connector 0.1.30.9.0 Data Offer Disclosure Vulnerability
CVE-2024-9202 Published on September 27, 2024
EDC DataSetResolver policy filtering missing
In Eclipse Dataspace Components versions 0.1.3 to 0.9.0, the Connector component filters which datasets (= data offers) another party can see in a requested catalog, to ensure that only authorized parties are able to view restricted offers.
However, there is the possibility to request a single dataset, which should be subject to the same filtering process, but currently is missing the correct filtering.
This enables parties to potentially see datasets they should not have access to, thereby exposing sensitive information. Exploiting this vulnerability requires knowing the ID of a restricted dataset, but some IDs may be guessed by trying out many IDs in an automated way.
Affected code:
DatasetResolverImpl, L76-79 https://github.com/eclipse-edc/Connector/blob/v0.9.0/core/control-plane/control-plane-catalog/src/main/java/org/eclipse/edc/connector/controlplane/catalog/DatasetResolverImpl.java
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2024-9202 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2024-9202
Want to know whenever a new CVE is published for Eclipse Dataspace Components? stack.watch will email you.
Affected Versions
Eclipse Foundation Eclipse Dataspace Components:- Version 0.1.3, <= 0.9.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.