Insufficient Verification of Data Authenticity Affecting org.wildfly:wildfly-elytron-oidc-client-subsystem package, versions [0,]
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JAVA-ORGWILDFLY-8496572
- published11 Dec 2024
- disclosed9 Dec 2024
- creditUnknown
Introduced: 9 Dec 2024
NewCVE-2024-12369 (opens in a new tab)How to fix?
There is no fixed version for org.wildfly:wildfly-elytron-oidc-client-subsystem.
Overview
Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the OIDC-Client subsystem. An attacker can impersonate a victim by injecting a stolen authorization code into their own session.
Note: This is only exploitable if the following happens-
The attacker obtains an authorization code from an authorization response sent to the client, accesses the application and starts the login process with the legitimate client.
The attacker replaces the newly sent authorization code with the previously stolen authorization code in the response of the OpenID provider to the legitimate client.
The legitimate client sends that stolen authorization code along with its credentials to the OpenID provider to exchange the code for a token.
The OpenID provider's checks will succeed, and a token will be issued to the client.
The attacker has now associated their session with the legitimate client with the victim's identity.