CVE-2024-12369: Insufficient Verification of Data Authenticity
A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.
AI Analysis
Technical Summary
The vulnerability CVE-2024-12369 affects the OIDC-Client used in Red Hat JBoss Enterprise Application Platform 8.x, specifically when using the RH SSO OIDC adapter with EAP 7.x or the elytron-oidc-client subsystem with EAP 8.x. It allows authorization code injection attacks where an attacker can inject a stolen authorization code into their own session, thereby assuming the victim's identity. The attack vector is network-based and requires user interaction, with a high attack complexity. The impact is limited to low confidentiality and integrity loss without availability impact. Red Hat has issued official security advisories (RHSA-2025:3989 and RHSA-2025:3990) providing patches in version 8.0.7 for RHEL 8 and RHEL 9 respectively.
Potential Impact
Successful exploitation allows an attacker to inject a stolen authorization code into their own session, impersonating a victim's identity. This results in limited confidentiality and integrity impact as per the CVSS score (4.2). There is no impact on system availability. The attack requires network access and user interaction, with high attack complexity.
Mitigation Recommendations
Red Hat has released official security updates in JBoss Enterprise Application Platform 8.0.7 for RHEL 8 and RHEL 9 that fix this vulnerability. Users should apply these updates after ensuring all prior relevant errata are installed and backing up their systems. Detailed update instructions are available from Red Hat's advisory and knowledge base articles. No additional mitigations are indicated by the vendor advisory.
CVE-2024-12369: Insufficient Verification of Data Authenticity
Description
A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2024-12369 affects the OIDC-Client used in Red Hat JBoss Enterprise Application Platform 8.x, specifically when using the RH SSO OIDC adapter with EAP 7.x or the elytron-oidc-client subsystem with EAP 8.x. It allows authorization code injection attacks where an attacker can inject a stolen authorization code into their own session, thereby assuming the victim's identity. The attack vector is network-based and requires user interaction, with a high attack complexity. The impact is limited to low confidentiality and integrity loss without availability impact. Red Hat has issued official security advisories (RHSA-2025:3989 and RHSA-2025:3990) providing patches in version 8.0.7 for RHEL 8 and RHEL 9 respectively.
Potential Impact
Successful exploitation allows an attacker to inject a stolen authorization code into their own session, impersonating a victim's identity. This results in limited confidentiality and integrity impact as per the CVSS score (4.2). There is no impact on system availability. The attack requires network access and user interaction, with high attack complexity.
Mitigation Recommendations
Red Hat has released official security updates in JBoss Enterprise Application Platform 8.0.7 for RHEL 8 and RHEL 9 that fix this vulnerability. Users should apply these updates after ensuring all prior relevant errata are installed and backing up their systems. Detailed update instructions are available from Red Hat's advisory and knowledge base articles. No additional mitigations are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- redhat
- Date Reserved
- 2024-12-09T16:33:36.277Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/errata/RHSA-2025:3989","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:3990","vendor":"Red Hat"},{"url":"https://access.redhat.com/errata/RHSA-2025:3992","vendor":"Red Hat"},{"url":"https://access.redhat.com/security/cve/CVE-2024-12369","vendor":"Red Hat"}]
Threat ID: 68e0f3c0b66c7f7acdd3d07e
Added to database: 10/4/2025, 10:15:28 AM
Last enriched: 5/1/2026, 2:05:06 AM
Last updated: 5/8/2026, 11:36:53 AM
Views: 74
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.