CVE-2023-6236

Name of the Vulnerable Software and Affected Versions Red Hat Enterprise Application Platform 8 JBoss EAP (affected versions not specified)

Description A flaw was found in the software when an OIDC app that serves multiple tenants attempts to access the second tenant. The issue arises because the software should prompt the user to log in again since the second tenant is secured with a different OIDC configuration. The underlying problem is in OidcSessionTokenStore when determining if a cached token should be used or not. This logic needs to be updated to take into account the new provider-url option in addition to the realm option.

Recommendations For Red Hat Enterprise Application Platform 8, update the logic in OidcSessionTokenStore to consider the provider-url option along with the realm option. For JBoss EAP, update the logic in OidcSessionTokenStore to consider the provider-url option along with the realm option. As a temporary workaround, consider disabling the use of cached tokens in OidcSessionTokenStore until a patch is available.