NVD Vulnerability Detail
Search Exploit, PoC
CVE-2024-9202
Summary

In Eclipse Dataspace Components versions 0.1.3 to 0.9.0, the Connector component filters which datasets (= data offers) another party can see in a requested catalog, to ensure that only authorized parties are able to view restricted offers.
However, there is the possibility to request a single dataset, which should be subject to the same filtering process, but currently is missing the correct filtering.

This enables parties to potentially see datasets they should not have access to, thereby exposing sensitive information. Exploiting this vulnerability requires knowing the ID of a restricted dataset, but some IDs may be guessed by trying out many IDs in an automated way.

Affected code:
DatasetResolverImpl, L76-79 https://github.com/eclipse-edc/Connector/blob/v0.9.0/core/control-plane/control-plane-catalog/src/main/java/org/eclipse/edc/connector/controlplane/catalog/DatasetResolverImpl.java

Publication Date Sept. 27, 2024, 7:15 p.m.
Registration Date Sept. 28, 2024, 5:01 a.m.
Last Update Sept. 30, 2024, 9:46 p.m.
Related information, measures and tools
Common Vulnerabilities List
JVN Vulnerability Information
Eclipse Foundation の eclipse dataspace components における認証の欠如に関する脆弱性
Title Eclipse Foundation の eclipse dataspace components における認証の欠如に関する脆弱性
Summary

Eclipse Foundation の eclipse dataspace components には、認証の欠如に関する脆弱性が存在します。

Possible impacts 情報を取得される可能性があります。
Solution

ベンダアドバイザリまたはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。
Publication Date Sept. 27, 2024, midnight
Registration Date Jan. 10, 2025, 4:28 p.m.
Last Update Jan. 10, 2025, 4:28 p.m.
Affected System
Eclipse Foundation
eclipse dataspace components 0.1.3 以上 0.9.1 未満
CVE (情報セキュリティ 共通脆弱性識別子)
CWE (共通脆弱性タイプ一覧)
その他
Change Log
No Changed Details Date of change
1 [2025年01月10日]
  掲載		 Jan. 10, 2025, 4:28 p.m.