4.2

CVE-2024-12369

Elytron-oidc-client: oidc authorization code injection

A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Collection URLhttps://github.com/wildfly/wildfly
Paket wildfly
Default Statusunknown
Version <= 34.0.1.Final
Version 0
Status affected
HerstellerRed Hat
Produkt Red Hat JBoss Enterprise Application Platform 8
Default Statusunaffected
HerstellerRed Hat
Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
Default Statusaffected
Version 0:2.2.9-1.Final_redhat_00001.1.el8eap
Version < *
Status unaffected
HerstellerRed Hat
Produkt Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
Default Statusaffected
Version 0:2.2.9-1.Final_redhat_00001.1.el9eap
Version < *
Status unaffected
HerstellerRed Hat
Produkt Red Hat Build of Keycloak
Default Statusunaffected
HerstellerRed Hat
Produkt Red Hat JBoss Enterprise Application Platform 7
Default Statusaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.11% 0.29
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
secalert@redhat.com 4.2 1.6 2.5
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.