CVE-2024-4536

Name of the Vulnerable Software and Affected Versions Eclipse Dataspace Components versions 0.2.1 through 0.6.2

Description A security issue has been identified in the EDC Connector component of Eclipse Dataspace Components, related to the OAuth2-protected data sink feature. When using a custom OAuth2-protected data sink, the OAuth2-specific data address properties are resolved by the provider data plane. The clientSecretKey, which indicates the OAuth2 client secret to retrieve from a secrets vault, is resolved in the context of the provider's vault, not the consumer. This allows an attacker to potentially obtain OAuth2 client secrets from the vault. The feature is now disabled entirely due to incomplete implementation of necessary code paths.

Recommendations For Eclipse Dataspace Components versions 0.2.1 through 0.6.2, consider disabling the OAuth2-protected data sink feature entirely, as it has been disabled in the latest implementation due to security concerns. Restrict access to the EDC Connector component to minimize the risk of exploitation. Avoid using the clientSecretKey in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.