GHSA-8259-2x72-2gvc

Source

https://github.com/advisories/GHSA-8259-2x72-2gvc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-8259-2x72-2gvc/GHSA-8259-2x72-2gvc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8259-2x72-2gvc

Aliases

CVE-2024-8642

Published

2024-09-11T15:31:12Z

Modified

2024-09-19T17:40:22.743073Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:L/U:Green CVSS Calculator

Summary

Eclipse Dataspace Components's ConsumerPullTransferTokenValidationApiController doesn't check for token validit

Details

In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.

Database specific

{
    "nvd_published_at": "2024-09-11T14:15:14Z",
    "cwe_ids": [
        "CWE-287",
        "CWE-303"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-11T17:31:04Z"
}

References

Affected packages

Maven / org.eclipse.edc:transfer-data-plane

Package

Name: org.eclipse.edc:transfer-data-plane; View open source insights on deps.dev
Purl: pkg:maven/org.eclipse.edc/transfer-data-plane

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.5.0

Fixed

0.9.0

Affected versions

0.*

0.5.0

0.5.1

0.6.0

0.6.1

0.6.2

0.6.3

0.6.4

0.7.0

0.7.1

0.7.2

0.8.0

0.8.1