CVE-2024-12369

Summary

A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.

Affected Software

VendorProductVersion RangeStatus
0 <= 34.0.1.Finalaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:2.2.9-1.Final_redhat_00001.1.el8eap < *unaffected
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:2.2.9-1.Final_redhat_00001.1.el9eap < *unaffected

Weaknesses

  • CWE-345: Insufficient Verification of Data Authenticity

Workarounds

Currently, no mitigation is currently available for this vulnerability.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References