CVE-2024-12369

MEDIUM4.2EPSS 0.12%

WildFly Elytron OpenID Connect Client ExtensionOIDC authorization code injection attack

Published: 3/25/2025Modified: 2/4/2026

Also known as:GHSA-5565-3c98-g6jcCGA-f92m-w235-5wg6

Description

### Impact A vulnerability was found in OIDC-Client. When using the elytron-oidc-client subsystem with WildFly, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack. ### Patches [2.2.9.Final](https://github.com/wildfly-security/wildfly-elytron/releases/tag/2.2.9.Final) [2.6.2.Final](https://github.com/wildfly-security/wildfly-elytron/releases/tag/2.6.2.Final) ### Workarounds Currently, no mitigation is currently available for this vulnerability. ### References https://nvd.nist.gov/vuln/detail/CVE-2024-12369 https://access.redhat.com/security/cve/CVE-2024-12369 https://bugzilla.redhat.com/show_bug.cgi?id=2331178 https://issues.redhat.com/browse/ELY-2887

Affected packages (2)

Maven/org.wildfly.security:wildfly-elytron>= 1.17.0.Final, < 2.2.9.Final
Maven/org.wildfly.security:wildfly-elytron-http-oidc>= 1.17.0.Final, < 2.2.9.Final

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.2	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Description

Affected packages (2)

CVSS scores

References (10)