CVE-2024-9202

Name of the Vulnerable Software and Affected Versions Eclipse Dataspace Components versions 0.1.3 through 0.9.0

Description The issue concerns the Connector component in Eclipse Dataspace Components, which is responsible for filtering datasets that another party can see in a requested catalog. However, there is a possibility to request a single dataset without the correct filtering, potentially allowing parties to see datasets they should not have access to and exposing sensitive information. Exploiting this issue requires knowing the ID of a restricted dataset, but some IDs may be guessed through automated attempts.

Recommendations For Eclipse Dataspace Components versions 0.1.3 through 0.9.0, patch immediately to mitigate risks. As a temporary workaround, consider restricting access to the DatasetResolverImpl function until a patch is available. Avoid using the affected code in the DatasetResolverImpl function, specifically lines 76-79, until the issue is resolved.