org.wildfly.security:wildfly-elytron-http-oidc 2.6.1.Final vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.wildfly.security:wildfly-elytron-http-oidc package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
L Insufficient Verification of Data Authenticity Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the OIDC-Client subsystem. An attacker can impersonate a victim by injecting a stolen authorization code into their own session. Note: This is only exploitable if the following happens- The attacker obtains an authorization code from an authorization response sent to the client, accesses the application and starts the login process with the legitimate client. The attacker replaces the newly sent authorization code with the previously stolen authorization code in the response of the OpenID provider to the legitimate client. The legitimate client sends that stolen authorization code along with its credentials to the OpenID provider to exchange the code for a token. The OpenID provider's checks will succeed, and a token will be issued to the client. The attacker has now associated their session with the legitimate client with the victim's identity. How to fix Insufficient Verification of Data Authenticity? Upgrade `org.wildfly.security:wildfly-elytron-http-oidc` to version 2.2.9.Final, 2.6.2.Final or higher.	[1.17.0.Final,2.2.9.Final)[2.3.0.Final,2.6.2.Final)

Vulnerability

Vulnerable Version

Insufficient Verification of Data Authenticity

Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the OIDC-Client subsystem. An attacker can impersonate a victim by injecting a stolen authorization code into their own session.

Note: This is only exploitable if the following happens-

The attacker obtains an authorization code from an authorization response sent to the client, accesses the application and starts the login process with the legitimate client.
The attacker replaces the newly sent authorization code with the previously stolen authorization code in the response of the OpenID provider to the legitimate client.
The legitimate client sends that stolen authorization code along with its credentials to the OpenID provider to exchange the code for a token.
The OpenID provider's checks will succeed, and a token will be issued to the client.
The attacker has now associated their session with the legitimate client with the victim's identity.

How to fix Insufficient Verification of Data Authenticity?

Upgrade org.wildfly.security:wildfly-elytron-http-oidc to version 2.2.9.Final, 2.6.2.Final or higher.

[1.17.0.Final,2.2.9.Final)[2.3.0.Final,2.6.2.Final)

org.wildfly.security:wildfly-elytron-http-oidc@2.6.1.Final vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?