CVE-2024-12369
MEDIUMOrg.wildfly.security Wildfly-elytron - Data Authenticity Bypass
Title source: ruleDescription
A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.
Scores
CVSS v3
4.2
EPSS
0.0011
EPSS Percentile
29.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-345
Status
published
Products (18)
org.wildfly.security/wildfly-elytron
1.17.0.Final - 2.2.9.FinalMaven
org.wildfly.security/wildfly-elytron-http-oidc
1.17.0.Final - 2.2.9.FinalMaven
Red Hat/Red Hat Build of Keycloak
Red Hat/Red Hat JBoss Enterprise Application Platform 7
Red Hat/Red Hat JBoss Enterprise Application Platform 8
Red Hat/Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
0:1.0.4-3.redhat_00004.1.el8eap
Red Hat/Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
0:1.80.0-1.redhat_00001.1.el8eap
Red Hat/Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
0:2.16.1-1.redhat_00001.1.el8eap
Red Hat/Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
0:2.2.9-1.Final_redhat_00001.1.el8eap
Red Hat/Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
0:3.0.1-1.redhat_00001.1.el8eap
... and 8 more
Published
Dec 09, 2024
Tracked Since
Feb 18, 2026