org.eclipse.edc:transfer-data-plane@0.7.0 vulnerabilities

  • latest version

    0.8.1

  • latest non vulnerable version

  • first published

    2 years ago

  • latest version published

    4 months ago

  • licenses detected

  • package manager

Direct Vulnerabilities

Known vulnerabilities in the org.eclipse.edc:transfer-data-plane package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Incorrect Implementation of Authentication Algorithm

Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm via the ConsumerPullTransferTokenValidationApiController function. An attacker can bypass the check for token expiration by exploiting the lack of validation for token validity (expiry, not-before, issuance date).

Note:

This is only exploitable if a dataplane is configured to support http proxy consumer pull.

How to fix Incorrect Implementation of Authentication Algorithm?

Upgrade org.eclipse.edc:transfer-data-plane to version 0.9.0 or higher.

[0.5.0,0.9.0)