Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
EDC DataSetResolver policy filtering missing
Vulnerability Description
In Eclipse Dataspace Components versions 0.1.3 to 0.9.0, the Connector component filters which datasets (= data offers) another party can see in a requested catalog, to ensure that only authorized parties are able to view restricted offers. However, there is the possibility to request a single dataset, which should be subject to the same filtering process, but currently is missing the correct filtering. This enables parties to potentially see datasets they should not have access to, thereby exposing sensitive information. Exploiting this vulnerability requires knowing the ID of a restricted dataset, but some IDs may be guessed by trying out many IDs in an automated way. Affected code: DatasetResolverImpl, L76-79 https://github.com/eclipse-edc/Connector/blob/v0.9.0/core/control-plane/control-plane-catalog/src/main/java/org/eclipse/edc/connector/controlplane/catalog/DatasetResolverImpl.java
CVSS Information
N/A
Vulnerability Type
授权机制缺失
Vulnerability Title
Eclipse Dataspace Components 安全漏洞
Vulnerability Description
Eclipse Dataspace Components是Eclipse Dataspace Components开源的一个开发连接器。 Eclipse Dataspace Components 0.1.3版本至0.9.0版本存在安全漏洞,该漏洞源于缺少正确的过滤,从而暴露敏感信息。
CVSS Information
N/A
Vulnerability Type
N/A