How severe is CVE-2024-4536?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.3 out of 10.

What type of vulnerability is CVE-2024-4536?

This is classified as CWE-201, which is a common weakness in software security.

CVE-2024-4536

MEDIUM Year: 2024

CVSS v3 Score

5.3

Medium

Weakness Type

CWE-201

View all →

Vulnerability Description

In Eclipse Dataspace Components from version 0.2.1 to 0.6.2, in the EDC Connector component ( https://github.com/eclipse-edc/Connector ), an attacker might obtain OAuth2 client secrets from the vault. In Eclipse Dataspace Components from version 0.2.1 to 0.6.2, we have identified a security vulnerability in the EDC Connector component ( https://github.com/eclipse-edc/Connector ) regarding the OAuth2-protected data sink feature. When using a custom, OAuth2-protected data sink, the OAuth2-specific data address properties are resolved by the provider data plane. Problematically, the consumer-provided clientSecretKey, which indicates the OAuth2 client secret to retrieve from a secrets vault, is resolved in the context of the provider's vault, not the consumer. This secret's value is then sent to the tokenUrl, also consumer-controlled, as part of an OAuth2 client credentials grant. The returned access token is then sent as a bearer token to the data sink URL. This feature is now disabled entirely, because not all code paths necessary for a successful realization were fully implemented.

CVE-2020-25703

MEDIUM

CVSS:5.3(Medium)

The participants table download in Moodle always included user emails, but should have only done so when users' emails are not hidden. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5 and 3.7 to 3.7.8. T...

CWE-2012020

CVE-2021-1129

MEDIUM

CVSS:5.3(Medium)

A vulnerability in the authentication for the general purpose APIs implementation of Cisco Email Security Appliance (ESA), Cisco Content Security Management Appliance (SMA), and Cisco Web Security App...

CWE-2012021

CVE-2022-27779

MEDIUM

CVSS:5.3(Medium)

libcurl wrongly allows cookies to be set for Top Level Domains (TLDs) if thehost name is provided with a trailing dot.curl can be told to receive and send cookies. curl's "cookie engine" can bebuilt w...

CWE-2012022

CVE-2023-3102

MEDIUM

CVSS:5.3(Medium)

A sensitive information leak issue has been discovered in GitLab EE affecting all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows access to title...

CWE-2012023

CVE-2023-34968

MEDIUM

CVSS:5.3(Medium)

A path disclosure vulnerability was found in Samba. As part of the Spotlight protocol, Samba discloses the server-side absolute path of shares, files, and directories in the results for search queries...

CWE-2012023

CVE-2023-38013

MEDIUM

CVSS:5.3(Medium)

IBM Cloud Pak System 2.3.3.0, 2.3.3.3, 2.3.3.3 iFix1, 2.3.3.4, 2.3.3.5, 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.3.7, and 2.3.3.7 iFix1 could disclose sensitive information in HTTP responses that co...

CWE-2012023

CVE-2024-4536

Vulnerability Description

Related Vulnerabilities

CVE-2020-25703

CVE-2021-1129

CVE-2022-27779

CVE-2023-3102

CVE-2023-34968

CVE-2023-38013