GHSA-8259-2X72-2GVC

Vulnerability from github – Published: 2024-09-11 15:31 – Updated: 2026-02-02 15:37
VLAI
Summary
Eclipse Dataspace Components's ConsumerPullTransferTokenValidationApiController doesn't check for token validit
Details

In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.

Severity
7.3 (High)
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N
5.1 (Medium)
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/RE:L/U:Green
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.eclipse.edc:transfer-data-plane"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.5.0"
            },
            {
              "fixed": "0.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-8642"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-303"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-11T17:31:04Z",
    "nvd_published_at": "2024-09-11T14:15:14Z",
    "severity": "MODERATE"
  },
  "details": "In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module \"transfer-data-plane\". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.",
  "id": "GHSA-8259-2x72-2gvc",
  "modified": "2026-02-02T15:37:32Z",
  "published": "2024-09-11T15:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8642"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-edc/Connector/commit/04899e91dcdb4a407db4eb7af3e7b6ff9a9e9ad6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/eclipse-edc/Connector"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-edc/Connector/blob/bcb2e42aee82ce1863be3dcbdab29919d39a0e97/extensions/control-plane/transfer/transfer-data-plane/src/main/java/org/eclipse/edc/connector/controlplane/transfer/dataplane/api/ConsumerPullTransferTokenValidationApiController.java"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse-edc/Connector/releases/tag/v0.9.0"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/28"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/234"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:L/U:Green",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Eclipse Dataspace Components\u0027s ConsumerPullTransferTokenValidationApiController doesn\u0027t check for token validit"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.