Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-5565-3c98-g6jc

Опубликовано: 25 мар. 2025
Источник: github
Github: Прошло ревью
CVSS3: 4.2

Описание

WildFly Elytron OpenID Connect Client ExtensionOIDC authorization code injection attack

Impact

A vulnerability was found in OIDC-Client. When using the elytron-oidc-client subsystem with WildFly, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.

Patches

2.2.9.Final 2.6.2.Final

Workarounds

Currently, no mitigation is currently available for this vulnerability.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-12369 https://access.redhat.com/security/cve/CVE-2024-12369 https://bugzilla.redhat.com/show_bug.cgi?id=2331178 https://issues.redhat.com/browse/ELY-2887

Ссылки

Пакеты

Наименование

org.wildfly.security:wildfly-elytron

maven
Затронутые версииВерсия исправления

>= 1.17.0.Final, < 2.2.9.Final

2.2.9.Final

Наименование

org.wildfly.security:wildfly-elytron

maven
Затронутые версииВерсия исправления

>= 2.3.0.Final, < 2.6.2.Final

2.6.2.Final

Наименование

org.wildfly.security:wildfly-elytron-http-oidc

maven
Затронутые версииВерсия исправления

>= 1.17.0.Final, < 2.2.9.Final

2.2.9.Final

Наименование

org.wildfly.security:wildfly-elytron-http-oidc

maven
Затронутые версииВерсия исправления

>= 2.3.0.Final, < 2.6.2.Final

2.6.2.Final

EPSS

Процентиль: 54%
0.00308
Низкий

4.2 Medium

CVSS3

CVE ID

CVE-2024-12369

Дефекты

CWE-345

Связанные уязвимости

redhat логотип

CVE-2024-12369

CVSS3: 4.2
redhat
около 1 года назад

A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.

nvd логотип

CVE-2024-12369

CVSS3: 4.2
nvd
около 1 года назад

A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.

EPSS

Процентиль: 54%
0.00308
Низкий

4.2 Medium

CVSS3

CVE ID

CVE-2024-12369

Дефекты

CWE-345