Описание
A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.
Отчет
Red Hat has evaluated this vulnerability. This affects the OIDC Client when using RHSSO OIDC Adapter with EAP 7.x or elytron-oidc-client with EAP 8.x.
Меры по смягчению последствий
Currently, no mitigation is currently available for this vulnerability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Build of Keycloak | org.jboss.eap/wildfly-elytron-oidc-client-subsystem | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 7 | org.wildfly/wildfly-elytron-oidc-client-subsystem | Will not fix | ||
| Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | eap8-apache-commons-io | Fixed | RHSA-2025:3989 | 17.04.2025 |
| Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | eap8-bouncycastle | Fixed | RHSA-2025:3989 | 17.04.2025 |
| Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | eap8-eap-product-conf-parent | Fixed | RHSA-2025:3989 | 17.04.2025 |
| Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | eap8-hibernate | Fixed | RHSA-2025:3989 | 17.04.2025 |
| Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | eap8-ironjacamar | Fixed | RHSA-2025:3989 | 17.04.2025 |
| Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | eap8-jakarta-enterprise-concurrent | Fixed | RHSA-2025:3989 | 17.04.2025 |
| Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | eap8-jsf-impl | Fixed | RHSA-2025:3989 | 17.04.2025 |
| Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | eap8-reactive-streams | Fixed | RHSA-2025:3989 | 17.04.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
4.2 Medium
CVSS3
Связанные уязвимости
A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.
WildFly Elytron OpenID Connect Client ExtensionOIDC authorization code injection attack
EPSS
4.2 Medium
CVSS3