VDB
CVE-2024-12369
CVE-2024-12369
PUBLISHED
CVSS 4.199999809265137 MEDIUM
A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.
EPSS 0.12% · 30.7th percentile
Risk Scores
CVSS 3.1
4.199999809265137
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
EPSS Score
0.12%
30.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:2.2.9-1.Final_redhat_00001.1.el8eap, 0:2.2.9-1.Final_redhat_00001.1.el8eap |
| Red Hat | Red Hat Build of Keycloak | |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:2.2.9-1.Final_redhat_00001.1.el9eap, 0:2.2.9-1.Final_redhat_00001.1.el9eap |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7 | |
| Maven | org.wildfly.security:wildfly-elytron | 2.3.0, 1.17.0.Final, 2.3.0.Final |
| Maven | org.wildfly.security:wildfly-elytron-http-oidc | 1.17.0.Final, 1.17.0, 2.3.0.Final |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8 | |
| 0, 0 |
Timeline
- Jan 21, 1970 Fix PR Merged
- Dec 9, 2024 CVE Published
- Dec 9, 2024 PoC Published
- Dec 9, 2024 PoC Published
- Dec 10, 2024 EPSS Score
- Dec 27, 2024 EPSS Score
- Jan 13, 2025 EPSS Score
- Jan 29, 2025 EPSS Score
- Feb 15, 2025 EPSS Score
- Mar 4, 2025 EPSS Score
- Mar 21, 2025 EPSS Score
- Mar 25, 2025 CVE Updated
References
- RHSA-2025:3989 vendor-advisory
- RHSA-2025:3990 vendor-advisory
- RHSA-2025:3992 vendor-advisory
- https://access.redhat.com/security/cve/CVE-2024-12369 vdb
- RHBZ#2331178 issue
- https://github.com/wildfly-security/wildfly-elytron/commit/5ac5e6bbcba58883b3cebb2ddbcec4de140c5ceb url
- https://github.com/wildfly-security/wildfly-elytron/commit/d7754f5a6a91ceb0f4dbbbfe301991f6a55404cb url
- https://github.com/wildfly-security/wildfly-elytron/pull/2253 url
- https://github.com/wildfly-security/wildfly-elytron/pull/2261 url
- https://github.com/wildfly-security/wildfly-elytron/security/advisories/GHSA-5565-3c98-g6jc url
- https://nvd.nist.gov/vuln/detail/CVE-2024-12369 advisory
- https://github.com/wildfly-security/wildfly-elytron package
- https://issues.redhat.com/browse/ELY-2887 url