CVE-2024-12369 is a vulnerability identified in the OIDC-Client implementation within Red Hat Single Sign-On (RH SSO) adapters for EAP 7.x and the elytron-oidc-client subsystem in EAP 8.x. The vulnerability arises from insufficient verification of data authenticity during the authorization code exchange process in the OpenID Connect (OIDC) protocol. Specifically, an attacker can inject a stolen authorization code into their own session with the client, effectively impersonating the victim's identity. This attack vector typically requires the attacker to intercept or phish the authorization code, often through Man-in-the-Middle (MitM) attacks or social engineering techniques. Once the attacker injects the stolen code, they can gain unauthorized access to resources or services under the victim's identity. The vulnerability affects confidentiality and integrity of user sessions but does not impact system availability. The CVSS v3.1 base score is 4.2, indicating medium severity, with attack vector being network-based, requiring high attack complexity, no privileges, and user interaction. No patches or known exploits are currently publicly available, but the risk remains significant for organizations relying on these specific OIDC client implementations in Red Hat EAP environments.

The primary impact of CVE-2024-12369 is unauthorized identity impersonation, which can lead to unauthorized access to sensitive resources and data within affected organizations. Attackers exploiting this vulnerability can bypass authentication controls by injecting stolen authorization codes, potentially gaining access to user accounts and associated privileges. This undermines the confidentiality and integrity of user sessions and data. While availability is not directly affected, the breach of identity can facilitate further attacks such as data exfiltration, privilege escalation, or lateral movement within networks. Organizations relying on RH SSO OIDC adapters or elytron-oidc-client subsystems in EAP 7.x and 8.x are at risk, particularly those with high-value or sensitive applications integrated with these authentication mechanisms. The requirement for MitM or phishing attacks means that environments with weak network security or user awareness are more vulnerable. The medium CVSS score reflects the moderate ease of exploitation combined with significant potential impact on identity security.

To mitigate CVE-2024-12369, organizations should first verify if they are using the affected versions of RH SSO OIDC adapters with EAP 7.x or elytron-oidc-client subsystem with EAP 8.x. Immediate steps include: 1) Applying any available patches or updates from Red Hat as soon as they are released. 2) Implementing network-level protections such as enforcing TLS with strong cipher suites to prevent MitM attacks. 3) Enhancing phishing detection and user training to reduce the risk of social engineering attacks that could expose authorization codes. 4) Employing additional OIDC security best practices such as using Proof Key for Code Exchange (PKCE) to bind authorization codes to client sessions, if supported. 5) Monitoring authentication logs for unusual authorization code usage or session anomalies that may indicate exploitation attempts. 6) Restricting the lifespan and scope of authorization codes to minimize the window of opportunity for attackers. 7) Considering multi-factor authentication (MFA) to add an additional layer of identity verification beyond the authorization code. These measures collectively reduce the risk of successful exploitation and limit potential damage.