VDB

CVE-2024-12369

CVE-2024-12369 PUBLISHED CVSS 4.199999809265137 MEDIUM

A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.

EPSS 0.12% · 30.7th percentile

Risk Scores

CVSS 3.1
4.199999809265137
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
EPSS Score
0.12%
30.7th percentile

Affected Products

VendorProductVersions
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 80:2.2.9-1.Final_redhat_00001.1.el8eap, 0:2.2.9-1.Final_redhat_00001.1.el8eap
Red HatRed Hat Build of Keycloak
Red HatRed Hat JBoss Enterprise Application Platform 8.0 for RHEL 90:2.2.9-1.Final_redhat_00001.1.el9eap, 0:2.2.9-1.Final_redhat_00001.1.el9eap
Red HatRed Hat JBoss Enterprise Application Platform 7
Mavenorg.wildfly.security:wildfly-elytron2.3.0, 1.17.0.Final, 2.3.0.Final
Mavenorg.wildfly.security:wildfly-elytron-http-oidc1.17.0.Final, 1.17.0, 2.3.0.Final
Red HatRed Hat JBoss Enterprise Application Platform 8
0, 0

Timeline

  • Jan 21, 1970 Fix PR Merged
  • Dec 9, 2024 CVE Published
  • Dec 9, 2024 PoC Published
  • Dec 9, 2024 PoC Published
  • Dec 10, 2024 EPSS Score
  • Dec 27, 2024 EPSS Score
  • Jan 13, 2025 EPSS Score
  • Jan 29, 2025 EPSS Score
  • Feb 15, 2025 EPSS Score
  • Mar 4, 2025 EPSS Score
  • Mar 21, 2025 EPSS Score
  • Mar 25, 2025 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›