CVE-2024-12369

A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.

CVSS v3 4.2 MEDIUM

4.2^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2025:3989
https://access.redhat.com/security/cve/CVE-2024-12369
https://bugzilla.redhat.com/show_bug.cgi?id=2331178

Configurations

No configuration.

History

17 Apr 2025, 19:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2025:3989 -
Summary		(es) Se encontró una vulnerabilidad en OIDC-Client. Al utilizar el adaptador RH SSO OIDC con EAP 7.x o al utilizar el subsistema elytron-oidc-client con EAP 8.x, pueden producirse ataques de inyección de código de autorización, lo que permite a un atacante inyectar un código de autorización robado en la propia sesión del atacante con el cliente con la identidad de la víctima. Esto suele hacerse con un ataque de tipo Man-in-the-Middle (MitM) o de phishing.

09 Dec 2024, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-12-09 21:15

Updated : 2025-04-17 19:15

NVD link : CVE-2024-12369

Mitre link : CVE-2024-12369

CVE.ORG link : CVE-2024-12369

JSON object : View

Products Affected

No product.

CWE

CWE-345

Insufficient Verification of Data Authenticity

4.2 /10