CVE-2024-12369

Name of the Vulnerable Software and Affected Versions OIDC-Client versions prior to the fixed version EAP 7.x EAP 8.x

Description A vulnerability was found in OIDC-Client, allowing authorization code injection attacks to occur when using the RH SSO OIDC adapter with EAP 7.x or the elytron-oidc-client subsystem with EAP 8.x. This enables an attacker to inject a stolen authorization code into their own session with the client, impersonating a victim's identity, typically through a Man-in-the-Middle (MitM) or phishing attack.

Recommendations For OIDC-Client, update to a version that includes the fix for this issue. For EAP 7.x, consider disabling the RH SSO OIDC adapter until a patch is available. For EAP 8.x, restrict access to the elytron-oidc-client subsystem to minimize the risk of exploitation. As a temporary workaround, consider implementing additional security measures to detect and prevent Man-in-the-Middle (MitM) or phishing attacks.