GHSA-8259-2x72-2gvc

Suggest an improvement
Source
https://github.com/advisories/GHSA-8259-2x72-2gvc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-8259-2x72-2gvc/GHSA-8259-2x72-2gvc.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-8259-2x72-2gvc
Aliases
Published
2024-09-11T15:31:12Z
Modified
2024-09-19T17:50:15.384094Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:L/U:Green CVSS Calculator
Summary
Eclipse Dataspace Components's ConsumerPullTransferTokenValidationApiController doesn't check for token validit
Details

In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.

Database specific
{
    "nvd_published_at": "2024-09-11T14:15:14Z",
    "cwe_ids": [
        "CWE-287",
        "CWE-303"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-11T17:31:04Z"
}
References

Affected packages

Maven / org.eclipse.edc:transfer-data-plane

Package

Name
org.eclipse.edc:transfer-data-plane
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.edc/transfer-data-plane

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.5.0
Fixed
0.9.0

Affected versions

0.*

0.5.0
0.5.1
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.7.0
0.7.1
0.7.2
0.8.0
0.8.1