CVE-2024-9202

low-risk

Published 2024-09-27

In Eclipse Dataspace Components versions 0.1.3 to 0.9.0, the Connector component filters which datasets (= data offers) another party can see in a requested catalog, to ensure that only authorized parties are able to view restricted offers. However, there is the possibility to request a single dataset, which should be subject to the same filtering process, but currently is missing the correct filtering. This enables parties to potentially see datasets they should not have access to, thereby exposing sensitive information. Exploiting this vulnerability requires knowing the ID of a restricted dataset, but some IDs may be guessed by trying out many IDs in an automated way. Affected code: DatasetResolverImpl, L76-79 https://github.com/eclipse-edc/Connector/blob/v0.9.0/core/control-plane/control-plane-catalog/src/main/java/org/eclipse/edc/connector/controlplane/catalog/DatasetResolverImpl.java

Do I need to act?

0.51% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / HIGH complexity

Affected Products (1)

Eclipse Dataspace Components

Affected Vendors

Eclipse

References (3)

Issue Tracking https://github.com/eclipse-edc/Connector/pull/4490

Issue Tracking https://github.com/eclipse-edc/Connector/pull/4491

Issue Tracking https://gitlab.eclipse.org/security/cve-assignement/-/issues/35

/ 100

low-risk

Severity 17/34 · Moderate

Exploitability 2/34 · Minimal

Exposure 5/34 · Minimal