Advisories for Maven/Org.wildfly/Wildfly-Elytron-Oidc-Client-Subsystem package

2024

WildFly Elytron OpenID Connect Client Extension authorization code injection attack

A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.

Duplicate Advisory: WildFly Elytron OpenID Connect Client Extension authorization code injection attack

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5565-3c98-g6jc. This link is maintained to preserve external references. Original Description A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with …