{"url":"http://public2.vulnerablecode.io/api/packages/30931?format=json","purl":"pkg:maven/org.eclipse.edc/connector-core@0.2.1","type":"maven","namespace":"org.eclipse.edc","name":"connector-core","version":"0.2.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.6.3","latest_non_vulnerable_version":"0.6.3","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47290?format=json","vulnerability_id":"VCID-jvmt-wkzh-93hu","summary":"In Eclipse Dataspace Components from version 0.2.1 to 0.6.2, in the EDC Connector component ( https://github.com/eclipse-edc/Connector ), an attacker might obtain OAuth2 client secrets from the vault.\n\nIn Eclipse Dataspace Components from version 0.2.1 to 0.6.2, we have identified a security vulnerability in the EDC Connector component ( https://github.com/eclipse-edc/Connector ) regarding the OAuth2-protected data sink feature. When using a custom, OAuth2-protected data sink, the OAuth2-specific data address properties are resolved by the provider data plane. Problematically, the consumer-provided clientSecretKey, which indicates the OAuth2 client secret to retrieve from a secrets vault, is resolved in the context of the provider's vault, not the consumer. This secret's value is then sent to the tokenUrl, also consumer-controlled, as part of an OAuth2 client credentials grant. The returned access token is then sent as a bearer token to the data sink URL.\n\nThis feature is now disabled entirely, because not all code paths necessary for a successful realization were fully implemented.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-4536","reference_id":"","reference_type":"","scores":[{"value":"0.00047","scoring_system":"epss","scoring_elements":"0.14943","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-4536"},{"reference_url":"https://github.com/eclipse-edc/Connector","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/eclipse-edc/Connector"},{"reference_url":"https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/198","reference_id":"198","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-07T14:50:50Z/"}],"url":"https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/198"},{"reference_url":"https://gitlab.eclipse.org/security/cve-assignement/-/issues/22","reference_id":"22","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-07T14:50:50Z/"}],"url":"https://gitlab.eclipse.org/security/cve-assignement/-/issues/22"},{"reference_url":"https://github.com/eclipse-edc/Connector/commit/a4e6018d2c0457fba6f672fafa6c590513c45d1b","reference_id":"a4e6018d2c0457fba6f672fafa6c590513c45d1b","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-07T14:50:50Z/"}],"url":"https://github.com/eclipse-edc/Connector/commit/a4e6018d2c0457fba6f672fafa6c590513c45d1b"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4536","reference_id":"CVE-2024-4536","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-4536"},{"reference_url":"https://github.com/advisories/GHSA-2x52-8f29-7cjr","reference_id":"GHSA-2x52-8f29-7cjr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2x52-8f29-7cjr"},{"reference_url":"https://github.com/eclipse-edc/Connector/releases/tag/v0.6.3","reference_id":"v0.6.3","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-07T14:50:50Z/"}],"url":"https://github.com/eclipse-edc/Connector/releases/tag/v0.6.3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/30932?format=json","purl":"pkg:maven/org.eclipse.edc/connector-core@0.6.3","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.edc/connector-core@0.6.3"}],"aliases":["CVE-2024-4536","GHSA-2x52-8f29-7cjr"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jvmt-wkzh-93hu"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.edc/connector-core@0.2.1"}