CVE-2024-12369
MEDIUM4.2EPSS 0.12%WildFly Elytron OpenID Connect Client ExtensionOIDC authorization code injection attack
描述
### Impact A vulnerability was found in OIDC-Client. When using the elytron-oidc-client subsystem with WildFly, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack. ### Patches [2.2.9.Final](https://github.com/wildfly-security/wildfly-elytron/releases/tag/2.2.9.Final) [2.6.2.Final](https://github.com/wildfly-security/wildfly-elytron/releases/tag/2.6.2.Final) ### Workarounds Currently, no mitigation is currently available for this vulnerability. ### References https://nvd.nist.gov/vuln/detail/CVE-2024-12369 https://access.redhat.com/security/cve/CVE-2024-12369 https://bugzilla.redhat.com/show_bug.cgi?id=2331178 https://issues.redhat.com/browse/ELY-2887
受影響套件(2)
- Maven/org.wildfly.security:wildfly-elytron>= 1.17.0.Final, < 2.2.9.Final
- Maven/org.wildfly.security:wildfly-elytron-http-oidc>= 1.17.0.Final, < 2.2.9.Final
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.2 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N |
參考連結(10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-12369
- PATCHhttps://github.com/wildfly-security/wildfly-elytron
- WEBhttps://access.redhat.com/security/cve/CVE-2024-12369
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=2331178
- WEBhttps://github.com/wildfly-security/wildfly-elytron/commit/5ac5e6bbcba58883b3cebb2ddbcec4de140c5ceb
- WEBhttps://github.com/wildfly-security/wildfly-elytron/commit/d7754f5a6a91ceb0f4dbbbfe301991f6a55404cb
- WEBhttps://github.com/wildfly-security/wildfly-elytron/pull/2253
- WEBhttps://github.com/wildfly-security/wildfly-elytron/pull/2261
- WEBhttps://github.com/wildfly-security/wildfly-elytron/security/advisories/GHSA-5565-3c98-g6jc
- WEBhttps://issues.redhat.com/browse/ELY-2887