CVE-2024-12369 is a vulnerability in the OIDC-Client component used in Red Hat Single Sign-On (RH SSO) adapters for JBoss Enterprise Application Platform (EAP) versions 7.x and 8.x. The issue arises from insufficient verification of data authenticity during the OAuth 2.0 authorization code flow. Specifically, an attacker can inject a stolen authorization code into their own session, which the client accepts as valid, thereby allowing the attacker to assume the victim's identity within the application. This attack vector typically requires a Man-in-the-Middle (MitM) scenario or phishing to steal the authorization code. The vulnerability affects the confidentiality and integrity of user sessions by enabling unauthorized access and impersonation. The CVSS 3.1 base score is 4.2, reflecting network attack vector, high attack complexity, no privileges required, and user interaction needed. No known exploits have been reported in the wild yet. The vulnerability is particularly relevant for environments using RH SSO for federated authentication and identity management, as it undermines trust in the authorization process. The affected versions are those using the RH SSO OIDC adapter with EAP 7.x and the elytron-oidc-client subsystem with EAP 8.x. Mitigation requires patching or updating the OIDC client libraries to ensure proper verification of authorization codes and strengthening defenses against MitM and phishing attacks.

For European organizations, this vulnerability poses a risk to the confidentiality and integrity of user identities and sessions in applications relying on RH SSO and EAP middleware for authentication. Attackers exploiting this flaw can impersonate legitimate users, potentially gaining unauthorized access to sensitive data and services. This can lead to data breaches, unauthorized transactions, and erosion of trust in identity management systems. Sectors such as finance, government, healthcare, and critical infrastructure that depend on secure single sign-on solutions are particularly vulnerable. The need for user interaction and high attack complexity somewhat limits widespread exploitation, but targeted attacks leveraging phishing or MitM techniques remain a significant threat. The absence of known exploits in the wild provides a window for proactive mitigation. Failure to address this vulnerability could result in regulatory non-compliance under GDPR due to unauthorized access and data exposure.

Organizations should immediately assess their use of RH SSO OIDC adapters with EAP 7.x and elytron-oidc-client with EAP 8.x to identify affected systems. Apply vendor patches or updates as soon as they become available to ensure proper verification of authorization codes. In the interim, implement network-level protections such as enforcing TLS 1.2 or higher with strict certificate validation to mitigate MitM risks. Enhance phishing detection and user awareness training to reduce the likelihood of credential or authorization code theft. Employ monitoring and anomaly detection on authentication logs to identify unusual authorization code usage or session anomalies. Consider deploying multi-factor authentication (MFA) to add an additional layer of identity verification. Review and tighten OAuth 2.0 and OIDC configurations to limit token lifetimes and scope. Finally, conduct regular security assessments and penetration testing focused on identity federation components to detect similar weaknesses.