Eclipse Dataspace Components's ConsumerPullTransferTokenValidationApiController doesn't check for token validit

In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity expiry, not-before, issuance date, which can allow an attacker to bypass the check for token expiration. The issue requires to have ...

org.eclipse.tractusx.edc:data-encryption (=0.6.0), org.eclipse.tractusx.edc:edc-controlplane (=0.6.0) +5 more potentially affected by CVE-2024-8642 via org.eclipse.edc:transfer-data-plane (=0.5.1)

org.eclipse.edc:transfer-data-plane MAVEN version =0.5.1 is affected by a known vulnerability. The following packages have a transitive dependency on org.eclipse.edc:transfer-data-plane and may be impacted: - org.eclipse.tractusx.edc:data-encryption =0.6.0 -...

CVE-2024-8642

In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity expiry, not-before, issuance date, which can allow an attacker to bypass the check for token expiration. The issue requires to have ...

CVE-2024-8642

CVE-2024-8642 affects Eclipse Dataspace Components: versions 0.5.0 up to before 0.9.0 suffer from a missing token validity check in ConsumerPullTransferTokenValidationApiController (expiry, not-before, issuance date). This can enable bypass of token expiration protections when a dataplane is conf...

PT-2024-7968 · Eclipse · Eclipse Dataspace Components

Name of the Vulnerable Software and Affected Versions: Eclipse Dataspace Components versions 0.5.0 through 0.9.0 Description: The issue is related to the ConsumerPullTransferTokenValidationApiController component, which has inadequate authentication procedures. This allows a remote attacker to...