How severe is CVE-2024-9202?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 5.3 out of 10.

What type of vulnerability is CVE-2024-9202?

This is classified as CWE-862, which is a common weakness in software security.

CVE-2024-9202 - MEDIUM Severity | CVSS 5.3

Vulnerability Description

In Eclipse Dataspace Components versions 0.1.3 to 0.9.0, the Connector component filters which datasets (= data offers) another party can see in a requested catalog, to ensure that only authorized parties are able to view restricted offers. However, there is the possibility to request a single dataset, which should be subject to the same filtering process, but currently is missing the correct filtering. This enables parties to potentially see datasets they should not have access to, thereby exposing sensitive information. Exploiting this vulnerability requires knowing the ID of a restricted dataset, but some IDs may be guessed by trying out many IDs in an automated way. Affected code: DatasetResolverImpl, L76-79 https://github.com/eclipse-edc/Connector/blob/v0.9.0/core/control-plane/control-plane-catalog/src/main/java/org/eclipse/edc/connector/controlplane/catalog/DatasetResolverImpl.java

Related Vulnerabilities

CVE-2017-1000105

MEDIUM

CVSS:5.3(Medium)

The optional Run/Artifacts permission can be enabled by setting a Java system property. Blue Ocean did not check this permission before providing access to archived artifacts, Item/Read permission was...

CWE-8622017

CVE-2017-8217

MEDIUM

CVSS:5.3(Medium)

TP-Link C2 and C20i devices through firmware 0.9.1 4.2 v0032.0 Build 160706 Rel.37961n have too permissive iptables rules, e.g., SNMP is not blocked on any interface.

CWE-8622017

CVE-2018-1000022

MEDIUM

CVSS:5.3(Medium)

Electrum Technologies GmbH Electrum Bitcoin Wallet version prior to version 3.0.5 contains a Missing Authorization vulnerability in JSONRPC interface that can result in Bitcoin theft, if the user's wa...

CWE-8622018

CVE-2018-10207

MEDIUM

CVSS:5.3(Medium)

An issue was discovered in Vaultize Enterprise File Sharing 17.05.31. An attacker can exploit Missing Authorization on the FlexPaperViewer SWF reader, and export files that should have been restricted...

CWE-8622018

CVE-2018-18004

MEDIUM

CVSS:5.3(Medium)

Incorrect Access Control in mod_inetd.cgi in VIVOTEK Network Camera Series products with firmware before XXXXXX-VVTK-0X09a allows remote attackers to enable arbitrary system services via a URL paramet...

CWE-8622018

CVE-2018-21257

MEDIUM

CVSS:5.3(Medium)

An issue was discovered in Mattermost Server before 5.1. It allows attackers to bypass intended access restrictions (for setting a channel header) via the Channel header slash command API.

CWE-8622018