Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-9202

Severity CVSS v4.0:
MEDIUM
Type:
Unavailable / Other
Publication date:
27/09/2024
Last modified:
09/01/2025

Description

In Eclipse Dataspace Components versions 0.1.3 to 0.9.0, the Connector component filters which datasets (= data offers) another party can see in a requested catalog, to ensure that only authorized parties are able to view restricted offers.<br /> However, there is the possibility to request a single dataset, which should be subject to the same filtering process, but currently is missing the correct filtering.<br /> <br /> <br /> This enables parties to potentially see datasets they should not have access to, thereby exposing sensitive information. Exploiting this vulnerability requires knowing the ID of a restricted dataset, but some IDs may be guessed by trying out many IDs in an automated way.<br /> <br /> <br /> Affected code:<br /> DatasetResolverImpl, L76-79 https://github.com/eclipse-edc/Connector/blob/v0.9.0/core/control-plane/control-plane-catalog/src/main/java/org/eclipse/edc/connector/controlplane/catalog/DatasetResolverImpl.java

Impact

Vector 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/RE:M/U:Amber CVSS v4.0 Severity and Metrics:

Base Score: 5.30 MEDIUM
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/RE:M/U:Amber

Attack Vector (AV): Network
Attack Complexity (AC): Low
Attack Requirements (AT): None
Privileges Required (PR): Low
User Interaction (UI): None
Confidentiality (VC): Low
Integrity (VI): None
Availability (VA): None
Confidentiality (SC): Low
Integrity (SI): None
Availability (SA): None
Vulnerability Response Effort (RE): Moderate
Provider Urgency (U): Amber

Base Score 4.0
5.30
Severity 4.0
MEDIUM
Vector 3.x
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS v3.1 Severity and Metrics:

Base Score: 5.30 MEDIUM
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): None
Availability (A): None

Base Score 3.x
5.30
Severity 3.x
MEDIUM

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:eclipse:eclipse_dataspace_components:*:*:*:*:*:*:*:* 0.1.3 (including) 0.9.1 (excluding)

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools