CVE-2024-12369 — Vulnetix

Try Vulnetix Request Demo

CVE-2024-12369 PUBLISHED CVSS 4.199999809265137 MEDIUM

A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.

EPSS 0.08% · 23.8th percentile

Risk Scores

CVSS v3.1

4.199999809265137

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

EPSS Score

0.08%

23.8th percentile

Affected Products

Vendor	Product	Versions
Red Hat	Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8	0:2.2.9-1.Final_redhat_00001.1.el8eap
Red Hat	Red Hat Build of Keycloak
Red Hat	Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9	0:2.2.9-1.Final_redhat_00001.1.el9eap
Red Hat	Red Hat JBoss Enterprise Application Platform 7
Maven	org.wildfly.security:wildfly-elytron	1.17.0.Final, 2.3.0.Final
Maven	org.wildfly.security:wildfly-elytron-http-oidc	2.3.0.Final, 1.17.0.Final
Red Hat	Red Hat JBoss Enterprise Application Platform 8
		0

Timeline

Jan 21, 1970 Fix PR Merged
Dec 9, 2024 CVE Published
Dec 9, 2024 PoC Published
Dec 10, 2024 EPSS Score
Dec 26, 2024 EPSS Score
Jan 11, 2025 EPSS Score
Jan 28, 2025 EPSS Score
Feb 13, 2025 EPSS Score
Mar 1, 2025 EPSS Score
Mar 17, 2025 EPSS Score
Mar 25, 2025 CVE Updated
Apr 2, 2025 EPSS Score

References

Open in Interactive Console →