Medium severity4.2OSV Advisory· Published Dec 9, 2024· Updated Apr 15, 2026
CVE-2024-12369
CVE-2024-12369
Description
A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.wildfly.security:wildfly-elytronMaven | >= 1.17.0.Final, < 2.2.9.Final | 2.2.9.Final |
org.wildfly.security:wildfly-elytronMaven | >= 2.3.0.Final, < 2.6.2.Final | 2.6.2.Final |
org.wildfly.security:wildfly-elytron-http-oidcMaven | >= 1.17.0.Final, < 2.2.9.Final | 2.2.9.Final |
org.wildfly.security:wildfly-elytron-http-oidcMaven | >= 2.3.0.Final, < 2.6.2.Final | 2.6.2.Final |
Affected products
13- Range: 1.0.0.Alpha1, 1.0.0.Alpha2, 1.0.0.Alpha3, …
- osv-coords12 versionspkg:apk/chainguard/wildflypkg:apk/chainguard/wildfly-openjdk-17pkg:apk/chainguard/wildfly-openjdk-17-compatpkg:apk/chainguard/wildfly-openjdk-21pkg:apk/chainguard/wildfly-openjdk-21-compatpkg:apk/wolfi/wildflypkg:apk/wolfi/wildfly-openjdk-17pkg:apk/wolfi/wildfly-openjdk-17-compatpkg:apk/wolfi/wildfly-openjdk-21pkg:apk/wolfi/wildfly-openjdk-21-compatpkg:maven/org.wildfly.security/wildfly-elytronpkg:maven/org.wildfly.security/wildfly-elytron-http-oidc
< 35.0.1-r16+ 11 more
- (no CPE)range: < 35.0.1-r16
- (no CPE)range: < 35.0.1-r16
- (no CPE)range: < 35.0.1-r16
- (no CPE)range: < 35.0.1-r16
- (no CPE)range: < 35.0.1-r16
- (no CPE)range: < 35.0.1-r16
- (no CPE)range: < 35.0.1-r16
- (no CPE)range: < 35.0.1-r16
- (no CPE)range: < 35.0.1-r16
- (no CPE)range: < 35.0.1-r16
- (no CPE)range: >= 1.17.0.Final, < 2.2.9.Final
- (no CPE)range: >= 1.17.0.Final, < 2.2.9.Final
Patches
Vulnerability mechanics
References
13- github.com/advisories/GHSA-5565-3c98-g6jcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-12369ghsaADVISORY
- access.redhat.com/security/cve/CVE-2024-12369nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/wildfly-security/wildfly-elytron/commit/5ac5e6bbcba58883b3cebb2ddbcec4de140c5cebnvdWEB
- github.com/wildfly-security/wildfly-elytron/commit/d7754f5a6a91ceb0f4dbbbfe301991f6a55404cbnvdWEB
- github.com/wildfly-security/wildfly-elytron/pull/2253nvdWEB
- github.com/wildfly-security/wildfly-elytron/pull/2261nvdWEB
- github.com/wildfly-security/wildfly-elytron/security/advisories/GHSA-5565-3c98-g6jcghsaWEB
- issues.redhat.com/browse/ELY-2887ghsaWEB
- access.redhat.com/errata/RHSA-2025:3989nvd
- access.redhat.com/errata/RHSA-2025:3990nvd
- access.redhat.com/errata/RHSA-2025:3992nvd
News mentions
0No linked articles in our index yet.