CVE-2024-12369

Aliases:GHSA-5565-3c98-g6jc
Advisory lineage Upstream: 0 Downstream: 2
Deferred
Published: 09 Dec 2024, 20:53
Last modified:30 Apr 2026, 13:27

Vulnerability Summary

Overall Risk (default)
low
17/100
CVSS Score
4.2 MEDIUM
v3.1 (cve.org)
EPSS Score
0.12% LOW
0% probability -0.19%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

09 Dec 2024, 20:53
Published
Vulnerability first disclosed
30 Apr 2026, 13:27
Last Modified
Vulnerability information updated

Description

A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.

CVSS Metrics

  • v3.1MEDIUMScore: 4.2CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

EPSS Trends

Current EPSS score: 0.12% Percentile: 31%

Techniques & Countermeasures

  • CWE-345Insufficient Verification of Data Authenticity

    The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Affected Systems

  • org.wildfly.securitywildfly-elytron

    ≥ 1.17.0.Final, < 2.2.9.Final | ≥ 2.3.0.Final, < 2.6.2.Final

  • org.wildfly.securitywildfly-elytron-http-oidc

    ≥ 1.17.0.Final, < 2.2.9.Final | ≥ 2.3.0.Final, < 2.6.2.Final

References (13)