CVE-2024-8642
Eclipse Dataspace Components's ConsumerPullTransferTokenValidationApiController doesn't check for token validit
Description
In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.
How to fix CVE-2024-8642
To remediate CVE-2024-8642, upgrade the affected package to a fixed version below.
- —upgrade to 0.9.0 or later
Is CVE-2024-8642 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 0.5.0, < 0.9.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:L/U:Green |
| osv | CVSS 3.1 | HIGH7.3 | CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N |
References (7)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-8642
- PATCHgithub.com/eclipse-edc/Connector
- WEBgithub.com/eclipse-edc/Connector/blob/bcb2e42aee82ce1863be3dcbdab29919d39a0e97/extensions/control-plane/transfer/transfer-data-plane/src/main/java/org/eclipse/edc/connector/controlplane/transfer/dataplane/api/ConsumerPullTransferTokenValidationApiController.java