CVE-2024-8642

Name of the Vulnerable Software and Affected Versions Eclipse Dataspace Components versions 0.5.0 through 0.9.0

Description The issue is related to the ConsumerPullTransferTokenValidationApiController component, which has inadequate authentication procedures. This allows a remote attacker to bypass the token expiration check. The vulnerability requires a dataplane configured to support http proxy consumer pull and includes the module "transfer-data-plane". The affected code was marked deprecated from version 0.6.0 in favor of Dataplane Signaling and was removed in version 0.9.0.

Recommendations For Eclipse Dataspace Components versions 0.5.0 through 0.8.0, update to version 0.9.0 or later to resolve the issue. For Eclipse Dataspace Components version 0.9.0, no action is required as the vulnerable code has been removed. As a temporary workaround, consider disabling the ConsumerPullTransferTokenValidationApiController function until a patch is available. Restrict access to the transfer-data-plane module to minimize the risk of exploitation.