{"id":"CVE-2024-8642","summary":"Eclipse EDC: Consumer pull transfer token validation checks not applied","details":"In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module \"transfer-data-plane\". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.","aliases":["GHSA-8259-2x72-2gvc"],"modified":"2026-07-08T06:27:44.467255986Z","published":"2024-09-11T13:34:28.463Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/8xxx/CVE-2024-8642.json","cwe_ids":["CWE-303","CWE-305"],"cna_assigner":"eclipse"},"references":[{"type":"WEB","url":"https://github.com/eclipse-edc/Connector/releases/tag/v0.9.0"},{"type":"WEB","url":"https://repo.maven.apache.org/maven2/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/8xxx/CVE-2024-8642.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-8642"},{"type":"REPORT","url":"https://gitlab.eclipse.org/security/cve-assignement/-/issues/28"},{"type":"REPORT","url":"https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/234"},{"type":"FIX","url":"https://github.com/eclipse-edc/Connector/commit/04899e91dcdb4a407db4eb7af3e7b6ff9a9e9ad6"},{"type":"PACKAGE","url":"https://github.com/eclipse-edc/Connector"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/eclipse-edc/connector","events":[{"introduced":"b113a82e3cd5c4a929e8ea2ece2590980dc6d27f"},{"fixed":"2de2e94d06ead5d4fd3c1f8ab1980f5b8ee9dfb1"},{"fixed":"04899e91dcdb4a407db4eb7af3e7b6ff9a9e9ad6"}],"database_specific":{"cpe":"cpe:2.3:a:eclipse:eclipse_dataspace_components:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0.5.0"},{"fixed":"0.9.0"}],"source":["CPE_RANGE","REFERENCES"]}}],"versions":["v0.7.1","v0.8.1","v0.8.0","v0.6.4","v0.7.0","v0.6.3","v0.6.2","v0.6.1","v0.6.0","v0.5.1","v0.5.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-8642.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/RE:L/U:Green"}]}