CVE-2024-4536
- Source
- https://cve.org/CVERecord?id=CVE-2024-4536
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-4536.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-4536
- Aliases
- Published
- 2024-05-07T13:15:48.513Z
- Modified
- 2026-02-11T15:41:16.634499Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:L CVSS Calculator
- Summary
- [none]
- Details
-
In Eclipse Dataspace Components from version 0.2.1 to 0.6.2, in the EDC Connector component ( https://github.com/eclipse-edc/Connector ), an attacker might obtain OAuth2 client secrets from the vault.
In Eclipse Dataspace Components from version 0.2.1 to 0.6.2, we have identified a security vulnerability in the EDC Connector component ( https://github.com/eclipse-edc/Connector ) regarding the OAuth2-protected data sink feature. When using a custom, OAuth2-protected data sink, the OAuth2-specific data address properties are resolved by the provider data plane. Problematically, the consumer-provided clientSecretKey, which indicates the OAuth2 client secret to retrieve from a secrets vault, is resolved in the context of the provider's vault, not the consumer. This secret's value is then sent to the tokenUrl, also consumer-controlled, as part of an OAuth2 client credentials grant. The returned access token is then sent as a bearer token to the data sink URL.
This feature is now disabled entirely, because not all code paths necessary for a successful realization were fully implemented.
- References
-
- https://github.com/eclipse-edc/Connector/releases/tag/v0.6.3
- https://gitlab.eclipse.org/security/cve-assignement/-/issues/22
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/198
- https://gitlab.eclipse.org/security/cve-assignement/-/issues/22
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/198
- https://github.com/eclipse-edc/Connector/commit/a4e6018d2c0457fba6f672fafa6c590513c45d1b
Affected packages
Git / github.com/eclipse-edc/connector
Affected ranges
- Type
- GIT
- Repo
- https://github.com/eclipse-edc/connector
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixed
Database specific
vanir_signatures
[
{
"target": {
"file": "extensions/common/iam/identity-trust/identity-trust-transform/src/test/java/org/eclipse/edc/iam/identitytrust/transform/to/JwtToVerifiableCredentialTransformerTest.java"
},
"id": "CVE-2024-4536-2b323a50",
"deprecated": false,
"digest": {
"line_hashes": [
"137108240589790311084653231598719689996",
"171019766714827752264613764330606904043",
"168374718274232650928764124015673209681",
"258242307622631382510189819711354005092",
"196823908280110780900336257373635470254",
"107574546537561977131695159572952160128",
"59702351224655082852136156433079823875",
"186748229710891129756673737437908888321",
"132660326218128332929914541648270662169",
"35082011753562409607295751239785130487"
],
"threshold": 0.9
},
"signature_type": "Line",
"source": "https://github.com/eclipse-edc/connector/commit/a2e28228175c94cddd14d9bcbd203ea1720829bc",
"signature_version": "v1"
},
{
"target": {
"file": "extensions/data-plane/data-plane-http-oauth2-core/src/main/java/org/eclipse/edc/connector/dataplane/http/oauth2/DataPlaneHttpOauth2Extension.java"
},
"id": "CVE-2024-4536-4aae7f1e",
"deprecated": false,
"digest": {
"line_hashes": [
"205517817729807907990529119271840652828",
"336413893178903906520533229721211417248",
"206872118596672188431547431660915274570",
"223449569409789242490739638803217379183"
],
"threshold": 0.9
},
"signature_type": "Line",
"source": "https://github.com/eclipse-edc/connector/commit/a4e6018d2c0457fba6f672fafa6c590513c45d1b",
"signature_version": "v1"
},
{
"target": {
"function": "transform",
"file": "extensions/common/iam/identity-trust/identity-trust-transform/src/test/java/org/eclipse/edc/iam/identitytrust/transform/to/JsonObjectToVerifiableCredentialTransformerTest.java"
},
"id": "CVE-2024-4536-54a9507f",
"deprecated": false,
"digest": {
"length": 725.0,
"function_hash": "289930628743782597220650461283129379715"
},
"signature_type": "Function",
"source": "https://github.com/eclipse-edc/connector/commit/a2e28228175c94cddd14d9bcbd203ea1720829bc",
"signature_version": "v1"
},
{
"target": {
"file": "extensions/common/iam/identity-trust/identity-trust-transform/src/main/java/org/eclipse/edc/iam/identitytrust/transform/to/JwtToVerifiableCredentialTransformer.java"
},
"id": "CVE-2024-4536-6a1e8db4",
"deprecated": false,
"digest": {
"line_hashes": [
"149139183338760533254963703363469717060",
"121746248016875643838039296723580343471",
"4231378557935078967163383996169324680",
"60791745967395718462920604099740924040"
],
"threshold": 0.9
},
"signature_type": "Line",
"source": "https://github.com/eclipse-edc/connector/commit/a2e28228175c94cddd14d9bcbd203ea1720829bc",
"signature_version": "v1"
},
{
"target": {
"function": "transform_success",
"file": "extensions/common/iam/identity-trust/identity-trust-transform/src/test/java/org/eclipse/edc/iam/identitytrust/transform/to/JwtToVerifiableCredentialTransformerTest.java"
},
"id": "CVE-2024-4536-a1803c77",
"deprecated": false,
"digest": {
"length": 429.0,
"function_hash": "171158727157617477222670873158353052424"
},
"signature_type": "Function",
"source": "https://github.com/eclipse-edc/connector/commit/a2e28228175c94cddd14d9bcbd203ea1720829bc",
"signature_version": "v1"
},
{
"target": {
"function": "initialize",
"file": "extensions/data-plane/data-plane-http-oauth2-core/src/main/java/org/eclipse/edc/connector/dataplane/http/oauth2/DataPlaneHttpOauth2Extension.java"
},
"id": "CVE-2024-4536-a253d29c",
"deprecated": false,
"digest": {
"length": 241.0,
"function_hash": "177334205491409150041007999850040340392"
},
"signature_type": "Function",
"source": "https://github.com/eclipse-edc/connector/commit/a4e6018d2c0457fba6f672fafa6c590513c45d1b",
"signature_version": "v1"
},
{
"target": {
"file": "extensions/common/iam/identity-trust/identity-trust-transform/src/test/java/org/eclipse/edc/iam/identitytrust/transform/TestData.java"
},
"id": "CVE-2024-4536-f86971a3",
"deprecated": false,
"digest": {
"line_hashes": [
"72330316119926484298942944384605121544",
"184676878223520620502753251649320303180",
"200993309371826331249891349496437986491",
"255574643845819427259484424784212429738",
"323133313228924613555159397465868615844",
"82998179035343812469147824339895324431",
"81328293703863360290436916444092867829",
"269813539672818395838014719307190359306",
"20783380772849009641000381281154318051",
"159016468183569170150944211886912957877",
"27294741796017429841631132924499190247",
"274779508782019945895879288637172752984",
"68333746812826098989199783212519909403",
"325958430061239275345957108846276319787",
"204134649095301817684722053615074245305",
"185211279705444413403706679819812396184",
"66876669054436569926845948228324864034",
"150499467159693364904654121560792031293",
"154322302941719293498835148511720399211",
"250762378720659337677541387143699175653",
"32309789536244953398112099676447067278",
"4331767858254074779336807305027977463",
"121599539262218605101184395520216249013",
"318679141246355546295270016297405911738",
"253739263998605151285893156578377886834",
"202340249809668717836654868611343792183",
"168427086073623248589361970837395307263",
"69557446740466635697632858291415939460",
"283934279937470752165525240485527547510",
"176181414837278013999775353146922773656",
"253210479468455956567801677395803431335",
"244759537930795583649460806499382614191",
"261159806185854666614721162843246254063",
"46555636093373579214957470090256282212",
"230604562188741534389632755792328065236",
"98111341649062277824978595888826525192",
"462730622594823789628995983505077530",
"75880280185457559460963197681901539963"
],
"threshold": 0.9
},
"signature_type": "Line",
"source": "https://github.com/eclipse-edc/connector/commit/a2e28228175c94cddd14d9bcbd203ea1720829bc",
"signature_version": "v1"
}
]
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-4536.json"