CVE-2024-12369 – org.wildfly.security:wildfly-elytron

Package

Manager: maven
Name: org.wildfly.security:wildfly-elytron
Vulnerable Version: >=1.17.0.final <2.2.9.final || >=2.3.0.final <2.6.2.final

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00064 pctl0.20012

Details

WildFly Elytron OpenID Connect Client ExtensionOIDC authorization code injection attack ### Impact A vulnerability was found in OIDC-Client. When using the elytron-oidc-client subsystem with WildFly, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack. ### Patches [2.2.9.Final](https://github.com/wildfly-security/wildfly-elytron/releases/tag/2.2.9.Final) [2.6.2.Final](https://github.com/wildfly-security/wildfly-elytron/releases/tag/2.6.2.Final) ### Workarounds Currently, no mitigation is currently available for this vulnerability. ### References https://nvd.nist.gov/vuln/detail/CVE-2024-12369 https://access.redhat.com/security/cve/CVE-2024-12369 https://bugzilla.redhat.com/show_bug.cgi?id=2331178 https://issues.redhat.com/browse/ELY-2887

Metadata

Created: 2025-03-25T21:49:11Z
Modified: 2025-03-25T21:49:11Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-5565-3c98-g6jc/GHSA-5565-3c98-g6jc.json
CWE IDs: ["CWE-345"]
Alternative ID: GHSA-5565-3c98-g6jc
Finding: F204
Auto approve: 1