CVE-2024-4536: Eclipse EDC: OAuth2 Credential Exfiltration Vulnerability
First published: Tue May 07 2024(Updated: )
In Eclipse Dataspace Components from version 0.2.1 to 0.6.2, in the [EDC Connector component](https://github.com/eclipse-edc/Connector), an attacker might obtain OAuth2 client secrets from the vault. In Eclipse Dataspace Components from version 0.2.1 to 0.6.2, we have identified a security vulnerability in the EDC Connector component ( https://github.com/eclipse-edc/Connector ) regarding the OAuth2-protected data sink feature. When using a custom, OAuth2-protected data sink, the OAuth2-specific data address properties are resolved by the provider data plane. Problematically, the consumer-provided clientSecretKey, which indicates the OAuth2 client secret to retrieve from a secrets vault, is resolved in the context of the provider's vault, not the consumer. This secret's value is then sent to the tokenUrl, also consumer-controlled, as part of an OAuth2 client credentials grant. The returned access token is then sent as a bearer token to the data sink URL. This feature is now disabled entirely, because not all code paths necessary for a successful realization were fully implemented.
Credit: emo@eclipse.org emo@eclipse.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.eclipse.edc:connector-core | >=0.2.1<0.6.3 | 0.6.3 |
| Eclipse EDC Connector | >=0.2.1<0.6.3 | |
| >=0.2.1<0.6.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/eclipse-edc/Connector/commit/a4e6018d2c0457fba6f672fafa6c590513c45d1b
- https://github.com/eclipse-edc/Connector/releases/tag/v0.6.3
- https://gitlab.eclipse.org/security/cve-assignement/-/issues/22
- https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/198
- https://nvd.nist.gov/vuln/detail/CVE-2024-4536
- https://github.com/advisories/GHSA-2x52-8f29-7cjr (Advisory)
Frequently Asked Questions
What is the severity of CVE-2024-4536?
The severity of CVE-2024-4536 has not been officially rated, but it poses a risk of sensitive data exposure.
How do I fix CVE-2024-4536?
To fix CVE-2024-4536, upgrade to Eclipse Dataspace Components version 0.6.3 or later.
What components are affected by CVE-2024-4536?
CVE-2024-4536 affects the EDC Connector component in Eclipse Dataspace Components versions 0.2.1 to 0.6.2.
What specific vulnerability does CVE-2024-4536 exploit?
CVE-2024-4536 exploits a flaw that allows an attacker to obtain OAuth2 client secrets from the vault.
Is CVE-2024-4536 specific to any operating systems?
CVE-2024-4536 is not specific to any operating systems, rather it affects the applications using the vulnerable versions of the EDC Connector.
- agent/title
- agent/weakness
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-2x52-8f29-7cjr
- alias/CVE-2024-4536
- agent/software-canonical-lookup
- agent/references
- agent/description
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/trending
- agent/source
- agent/last-modified-date
- agent/softwarecombine
- agent/severity
- agent/remedy
- agent/event
- collector/nvd-api
- agent/software-canonical-lookup-request
- agent/tags
- package-manager/maven
- vendor/eclipse
- canonical/eclipse edc connector
- version/eclipse edc connector/0.2.1