GHSA-5565-3c98-g6jc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5565-3c98-g6jc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-5565-3c98-g6jc/GHSA-5565-3c98-g6jc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5565-3c98-g6jc
- Aliases
-
- CVE-2024-12369
- Related
- Published
- 2025-03-25T21:49:11Z
- Modified
- 2025-03-25T22:04:55.289590Z
- Severity
-
- 4.2 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- WildFly Elytron OpenID Connect Client ExtensionOIDC authorization code injection attack
- Details
-
Impact
A vulnerability was found in OIDC-Client. When using the elytron-oidc-client subsystem with WildFly, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.
Patches
Workarounds
Currently, no mitigation is currently available for this vulnerability.
References
https://nvd.nist.gov/vuln/detail/CVE-2024-12369 https://access.redhat.com/security/cve/CVE-2024-12369
https://bugzilla.redhat.com/show_bug.cgi?id=2331178 https://issues.redhat.com/browse/ELY-2887 - Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-345" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-03-25T21:49:11Z" }- References
-
- https://github.com/wildfly-security/wildfly-elytron/security/advisories/GHSA-5565-3c98-g6jc
- https://nvd.nist.gov/vuln/detail/CVE-2024-12369
- https://github.com/wildfly-security/wildfly-elytron/pull/2253
- https://github.com/wildfly-security/wildfly-elytron/pull/2261
- https://github.com/wildfly-security/wildfly-elytron/commit/5ac5e6bbcba58883b3cebb2ddbcec4de140c5ceb
- https://github.com/wildfly-security/wildfly-elytron/commit/d7754f5a6a91ceb0f4dbbbfe301991f6a55404cb
- https://access.redhat.com/security/cve/CVE-2024-12369
- https://bugzilla.redhat.com/show_bug.cgi?id=2331178
- https://github.com/wildfly-security/wildfly-elytron
- https://issues.redhat.com/browse/ELY-2887
Affected packages
Maven / org.wildfly.security:wildfly-elytron
Package
- Name
- org.wildfly.security:wildfly-elytron
- View open source insights on deps.dev
- Purl
- pkg:maven/org.wildfly.security/wildfly-elytron
Affected versions
1.*
1.17.0.Final
1.17.1.Final
1.17.2.Final
1.17.3.Final
1.18.0.Final
1.18.1.Final
1.18.2.Final
1.18.3.Final
1.19.0.Final
1.19.1.Final
1.20.0.Final
1.20.1.Final
1.20.2.Final
1.20.3.Final
1.20.4.Final
2.*
2.0.0.Alpha1
2.0.0.Alpha2
2.0.0.Alpha3
2.0.0.Alpha4
2.0.0.Alpha5
2.0.0.Alpha6
2.0.0.Alpha7
2.0.0.Alpha8
2.0.0.Alpha9
2.0.0.Alpha10
2.0.0.Beta1
2.0.0.Beta2
2.0.0.Beta3
2.0.0.Final
2.1.0.Final
2.2.0.Final
2.2.1.Final
2.2.2.Final
2.2.3.Final
2.2.4.Final
2.2.5.Final
2.2.6.Final
2.2.7.Final
2.2.8.Final
Maven / org.wildfly.security:wildfly-elytron
Package
- Name
- org.wildfly.security:wildfly-elytron
- View open source insights on deps.dev
- Purl
- pkg:maven/org.wildfly.security/wildfly-elytron
Maven / org.wildfly.security:wildfly-elytron-http-oidc
Package
- Name
- org.wildfly.security:wildfly-elytron-http-oidc
- View open source insights on deps.dev
- Purl
- pkg:maven/org.wildfly.security/wildfly-elytron-http-oidc
Affected versions
1.*
1.17.0.Final
1.17.1.Final
1.17.2.Final
1.17.3.Final
1.18.0.Final
1.18.1.Final
1.18.2.Final
1.18.3.Final
1.19.0.Final
1.19.1.Final
1.20.0.Final
1.20.1.Final
1.20.2.Final
1.20.3.Final
1.20.4.Final
2.*
2.0.0.Beta1
2.0.0.Beta2
2.0.0.Beta3
2.0.0.Final
2.1.0.Final
2.2.0.Final
2.2.1.Final
2.2.2.Final
2.2.3.Final
2.2.4.Final
2.2.5.Final
2.2.6.Final
2.2.7.Final
2.2.8.Final
Maven / org.wildfly.security:wildfly-elytron-http-oidc
Package
- Name
- org.wildfly.security:wildfly-elytron-http-oidc
- View open source insights on deps.dev
- Purl
- pkg:maven/org.wildfly.security/wildfly-elytron-http-oidc