GHSA-5565-3c98-g6jc: Code Injection
First published: Tue Mar 25 2025(Updated: )
### Impact A vulnerability was found in OIDC-Client. When using the elytron-oidc-client subsystem with WildFly, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack. ### Patches [2.2.9.Final](https://github.com/wildfly-security/wildfly-elytron/releases/tag/2.2.9.Final) [2.6.2.Final](https://github.com/wildfly-security/wildfly-elytron/releases/tag/2.6.2.Final) ### Workarounds Currently, no mitigation is currently available for this vulnerability. ### References https://nvd.nist.gov/vuln/detail/CVE-2024-12369 https://access.redhat.com/security/cve/CVE-2024-12369 https://bugzilla.redhat.com/show_bug.cgi?id=2331178 https://issues.redhat.com/browse/ELY-2887
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.wildfly.security:wildfly-elytron-http-oidc | >=2.3.0.Final<2.6.2.Final | 2.6.2.Final |
| maven/org.wildfly.security:wildfly-elytron-http-oidc | >=1.17.0.Final<2.2.9.Final | 2.2.9.Final |
| maven/org.wildfly.security:wildfly-elytron | >=2.3.0.Final<2.6.2.Final | 2.6.2.Final |
| maven/org.wildfly.security:wildfly-elytron | >=1.17.0.Final<2.2.9.Final | 2.2.9.Final |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/wildfly-security/wildfly-elytron/security/advisories/GHSA-5565-3c98-g6jc
- https://nvd.nist.gov/vuln/detail/CVE-2024-12369
- https://github.com/wildfly-security/wildfly-elytron/pull/2253
- https://github.com/wildfly-security/wildfly-elytron/pull/2261
- https://github.com/wildfly-security/wildfly-elytron/commit/5ac5e6bbcba58883b3cebb2ddbcec4de140c5ceb
- https://github.com/wildfly-security/wildfly-elytron/commit/d7754f5a6a91ceb0f4dbbbfe301991f6a55404cb
- https://access.redhat.com/security/cve/CVE-2024-12369
- https://bugzilla.redhat.com/show_bug.cgi?id=2331178
- https://issues.redhat.com/browse/ELY-2887
- https://github.com/advisories/GHSA-5565-3c98-g6jc (Advisory)
Frequently Asked Questions
What is the severity of GHSA-5565-3c98-g6jc?
The severity of GHSA-5565-3c98-g6jc is significant due to the potential for authorization code injection attacks.
How do I fix GHSA-5565-3c98-g6jc?
To fix GHSA-5565-3c98-g6jc, update to wildfly-elytron-http-oidc version 2.6.2.Final or 2.2.9.Final depending on your current version.
What software packages are affected by GHSA-5565-3c98-g6jc?
Affected software packages include wildfly-elytron-http-oidc and wildfly-elytron in versions prior to 2.6.2.Final and 2.2.9.Final.
What types of attacks can occur due to GHSA-5565-3c98-g6jc?
GHSA-5565-3c98-g6jc can lead to authorization code injection attacks, allowing attackers to impersonate victims.
Is there a patch available for GHSA-5565-3c98-g6jc?
Yes, patches for GHSA-5565-3c98-g6jc are available in the recommended versions of the affected packages.
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-5565-3c98-g6jc
- alias/CVE-2024-12369
- agent/last-modified-date
- agent/weakness
- agent/references
- agent/severity
- agent/source
- agent/softwarecombine
- agent/tags
- agent/type
- agent/description
- agent/first-publish-date
- agent/event
- package-manager/maven