// For flags

CVE-2024-9202

EDC DataSetResolver policy filtering missing

Severity Score

5.3
*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In Eclipse Dataspace Components versions 0.1.3 to 0.9.0, the Connector component filters which datasets (= data offers) another party can see in a requested catalog, to ensure that only authorized parties are able to view restricted offers.
However, there is the possibility to request a single dataset, which should be subject to the same filtering process, but currently is missing the correct filtering.


This enables parties to potentially see datasets they should not have access to, thereby exposing sensitive information. Exploiting this vulnerability requires knowing the ID of a restricted dataset, but some IDs may be guessed by trying out many IDs in an automated way.


Affected code:
DatasetResolverImpl, L76-79 https://github.com/eclipse-edc/Connector/blob/v0.9.0/core/control-plane/control-plane-catalog/src/main/java/org/eclipse/edc/connector/controlplane/catalog/DatasetResolverImpl.java

En las versiones 0.1.3 a 0.9.0 de Eclipse Dataspace Components, el componente Connector filtra qué conjuntos de datos (= ofertas de datos) puede ver otra parte en un catálogo solicitado, para garantizar que solo las partes autorizadas puedan ver las ofertas restringidas. Sin embargo, existe la posibilidad de solicitar un único conjunto de datos, que debería estar sujeto al mismo proceso de filtrado, pero que actualmente no tiene el filtrado correcto. Esto permite que las partes vean potencialmente conjuntos de datos a los que no deberían tener acceso, lo que expone información confidencial. Para explotar esta vulnerabilidad es necesario conocer el ID de un conjunto de datos restringido, pero algunos ID se pueden adivinar probando muchos ID de forma automática. Código afectado: DatasetResolverImpl, L76-79 https://github.com/eclipse-edc/Connector/blob/v0.9.0/core/control-plane/control-plane-catalog/src/main/java/org/eclipse/edc/connector/controlplane/catalog/DatasetResolverImpl.java

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
Low
User Interaction
None
System
Vulnerable | Subsequent
Confidentiality
Low
Low
Integrity
None
None
Availability
None
None
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
Low
User Interaction
None
System
Vulnerable | Subsequent
Confidentiality
Low
Low
Integrity
None
None
Availability
None
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-09-26 CVE Reserved
  • 2024-09-27 CVE Published
  • 2024-09-27 CVE Updated
  • 2024-09-28 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-862: Missing Authorization
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Eclipse Foundation
Search vendor "Eclipse Foundation"
 Eclipse Dataspace Components
Search vendor "Eclipse Foundation" for product "Eclipse Dataspace Components"
 >= 0.1.3 <= 0.9.0
Search vendor "Eclipse Foundation" for product "Eclipse Dataspace Components" and version " >= 0.1.3 <= 0.9.0"
en
Affected