CVE-2024-8642 – This vulnerability in Eclipse Dataspace Compone... (How to Fix)

Q: What is the severity of CVE-2024-8642?

CVE-2024-8642 has a CVSS score of 8.1 (HIGH). This vulnerability in Eclipse Dataspace Components allows attackers to bypass token expiration checks in the ConsumerPullTransferTokenValidationApiController. Attackers can use expired or invalid tokens to access data transfer functionality. This affects systems running versions 0.5.0 through 0.8.x with specific dataplane configurations.

📋 TL;DR

This vulnerability in Eclipse Dataspace Components allows attackers to bypass token expiration checks in the ConsumerPullTransferTokenValidationApiController. Attackers can use expired or invalid tokens to access data transfer functionality. This affects systems running versions 0.5.0 through 0.8.x with specific dataplane configurations.

💻 Affected Systems

Products:

Eclipse Dataspace Components

Versions: 0.5.0 through 0.8.x (before 0.9.0)

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Requires dataplane configured to support http proxy consumer pull AND include the 'transfer-data-plane' module. The vulnerable code was deprecated in version 0.6.0.

📦 What is this software?

Eclipse Dataspace Components by Eclipse

View all CVEs affecting Eclipse Dataspace Components →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized data access and exfiltration through expired tokens, potentially leading to data breaches and compliance violations.

🟠

Likely Case

Unauthorized data transfers using expired tokens, compromising data integrity and access controls.

🟢

If Mitigated

Limited impact if proper network segmentation and monitoring are in place, but still represents an authentication bypass.

🌐 Internet-Facing: HIGH - If the vulnerable endpoint is exposed to the internet, attackers can directly exploit this without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to bypass token validation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending requests with expired tokens to the vulnerable endpoint. No authentication needed if endpoint is accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.9.0

Vendor Advisory: https://gitlab.eclipse.org/security/cve-assignement/-/issues/28

Restart Required: Yes

Instructions:

1. Upgrade to version 0.9.0 or later. 2. Remove deprecated ConsumerPullTransferTokenValidationApiController code. 3. Migrate to Dataplane Signaling as recommended. 4. Restart the application.

🔧 Temporary Workarounds

Disable vulnerable endpoint

all

Disable or restrict access to the ConsumerPullTransferTokenValidationApiController endpoint

Configure firewall rules to block access to the vulnerable endpoint
Disable the transfer-data-plane module if not required

Network segmentation

linux

Restrict network access to the vulnerable endpoint to trusted sources only

iptables -A INPUT -p tcp --dport [PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [PORT] -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the vulnerable endpoint
Deploy additional token validation at the application or API gateway level

🔍 How to Verify

Check if Vulnerable:

Check if running Eclipse Dataspace Components version 0.5.0 through 0.8.x with transfer-data-plane module enabled and http proxy consumer pull configured.

Check Version:

Check application logs or configuration files for version information, or use: java -jar [application].jar --version

Verify Fix Applied:

Verify version is 0.9.0 or later and that ConsumerPullTransferTokenValidationApiController code is no longer present.

📡 Detection & Monitoring

Log Indicators:

Requests to ConsumerPullTransferTokenValidationApiController with expired tokens
Successful data transfers with timestamps outside token validity periods

Network Indicators:

Unusual data transfer patterns from the vulnerable endpoint
Requests bypassing normal token validation flows

SIEM Query:

source="eclipse-dataspace" AND (endpoint="ConsumerPullTransferTokenValidationApiController" OR token_expired=true)

📊 Metadata

CVE ID: CVE-2024-8642

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-303

Published: September 11, 2024

Last Updated: September 19, 2024

🔗 References

https://github.com/eclipse-edc/Connector/commit/04899e91dcdb4a407db4eb7af3e7b6ff9a9e9ad6 Patch
https://github.com/eclipse-edc/Connector/releases/tag/v0.9.0 Release Notes
https://gitlab.eclipse.org/security/cve-assignement/-/issues/28 Issue Tracking
https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/234 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8642, you might also want to check these: