CVE-2024-12369— Elytron-oidc-client: oidc authorization code injection
I. Basic Information for CVE-2024-12369
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Elytron-oidc-client: oidc authorization code injection
Source: NVD (National Vulnerability Database)
Vulnerability Description
A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对数据真实性的验证不充分
Source: NVD (National Vulnerability Database)
Vulnerability Title
OIDC-Client 数据伪造问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
OIDC-Client是IdentityModel开源的一个为客户端、基于浏览器的 JavaScript 客户端应用程序提供 OpenID Connect (OIDC) 和 OAuth2 协议支持的库。 OIDC-Client存在数据伪造问题漏洞,该漏洞源于当使用带有 EAP 7.x 的 RH SSO OIDC 适配器或使用带有 EAP 8.x 的 elytron-oidc-client 子系统时,可能会发生授权代码注入攻击。攻击者利用该漏洞可以将窃取的授权代码注入攻击者自己与具有受害者身份的客户端的会话
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| - | - | 0 ~ 34.0.1.Final | - | |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8 | - | cpe:/a:redhat:jboss_enterprise_application_platform:8.0 | |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 | 0:2.2.9-1.Final_redhat_00001.1.el8eap ~ * | cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8 | |
| Red Hat | Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 | 0:2.2.9-1.Final_redhat_00001.1.el9eap ~ * | cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9 | |
| Red Hat | Red Hat Build of Keycloak | - | cpe:/a:redhat:build_keycloak: | |
| Red Hat | Red Hat JBoss Enterprise Application Platform 7 | - | cpe:/a:redhat:jboss_enterprise_application_platform:7 |
II. Public POCs for CVE-2024-12369
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-12369
请登录查看更多情报信息。
- 2331178 – (CVE-2024-12369) CVE-2024-12369 elytron-oidc-client: OIDC Authorization Code Injectionissue-trackingx_refsource_REDHAT
- https://nvd.nist.gov/vuln/detail/CVE-2024-12369
IV. Related Vulnerabilities
Same weakness: CWE-345
- CVE-2026-42575
apko doesn't verify downloaded apk packages against APKINDEX - CVE-2026-41432
New API: Stripe Webhook Signature Bypass via Empty Secret En - CVE-2026-42206
Roadiz OpenID Connect nonce generated but never validated — - CVE-2026-31835
Vaultwarden WebAuthn credential metadata tampered before sig - CVE-2026-43534
OpenClaw < 2026.4.10 - Unsanitized External Input in Agent H
V. Comments for CVE-2024-12369
No comments yet