CVE-2024-8642
Description
In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of Dataplane Signaling. In 0.9.0 the vulnerable code has been removed.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.eclipse.edc:transfer-data-planeMaven | >= 0.5.0, < 0.9.0 | 0.9.0 |
Affected products
1- cpe:2.3:a:eclipse:eclipse_dataspace_components:*:*:*:*:*:*:*:*Range: >=0.5.0,<0.9.0
Patches
22de2e94d06ea04899e91dcdbVulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/eclipse-edc/Connector/commit/04899e91dcdb4a407db4eb7af3e7b6ff9a9e9ad6nvdPatchWEB
- github.com/advisories/GHSA-8259-2x72-2gvcghsaADVISORY
- gitlab.eclipse.org/security/vulnerability-reports/-/issues/234nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-8642ghsaADVISORY
- github.com/eclipse-edc/Connector/blob/bcb2e42aee82ce1863be3dcbdab29919d39a0e97/extensions/control-plane/transfer/transfer-data-plane/src/main/java/org/eclipse/edc/connector/controlplane/transfer/dataplane/api/ConsumerPullTransferTokenValidationApiController.javaghsaWEB
- github.com/eclipse-edc/Connector/releases/tag/v0.9.0nvdRelease NotesWEB
- gitlab.eclipse.org/security/cve-assignement/-/issues/28nvdIssue Tracking
- gitlab.eclipse.org/security/cve-assignment/-/issues/28ghsaWEB
News mentions
0No linked articles in our index yet.