CVE-2024-12369 is a vulnerability identified in the OIDC-Client implementation used by Red Hat Single Sign-On (RH SSO) adapters integrated with JBoss Enterprise Application Platform (EAP) versions 7.x and 8.x. The flaw arises from insufficient verification of data authenticity during the OAuth 2.0 authorization code flow. Specifically, an attacker can inject a stolen authorization code into their own session with the client, effectively impersonating the victim's identity. This attack vector typically requires a Man-in-the-Middle (MitM) scenario or phishing to capture the authorization code. The vulnerability compromises the integrity and confidentiality of user sessions by allowing unauthorized access without proper validation of the authorization code's origin. The CVSS v3.1 score is 4.2 (medium), reflecting that exploitation requires high attack complexity, no privileges, and user interaction, with limited impact on confidentiality and integrity and no impact on availability. No public exploits have been reported yet, but the vulnerability poses a risk to applications relying on these Red Hat components for authentication and authorization, especially in environments where OAuth 2.0 flows are critical for access control.

For European organizations, this vulnerability could lead to unauthorized access to sensitive applications and data by allowing attackers to impersonate legitimate users. This undermines trust in identity and access management systems, potentially exposing personal data protected under GDPR and other privacy regulations. The attack could facilitate lateral movement within networks, data exfiltration, or fraudulent transactions. Sectors with high reliance on Red Hat EAP and RH SSO for secure authentication—such as finance, government, healthcare, and critical infrastructure—are at particular risk. The need for user interaction and the requirement for MitM or phishing conditions somewhat limit the attack surface, but targeted spear-phishing campaigns or compromised network environments could exploit this vulnerability effectively. Failure to address this issue could result in regulatory penalties, reputational damage, and operational disruptions.

European organizations should immediately assess their use of Red Hat EAP 7.x and 8.x with RH SSO OIDC adapters or elytron-oidc-client subsystems. Since no patch links are currently provided, organizations should implement compensating controls such as enforcing strict TLS configurations to prevent MitM attacks, deploying advanced phishing detection and user awareness training, and monitoring OAuth authorization flows for anomalies. Implementing additional validation layers on authorization codes, such as binding codes to client sessions or using Proof Key for Code Exchange (PKCE) if supported, can reduce risk. Network segmentation and zero-trust principles should be applied to limit attacker movement if compromise occurs. Organizations should subscribe to Red Hat security advisories for timely patch releases and test updates in controlled environments before deployment. Logging and alerting on suspicious authentication events will aid in early detection of exploitation attempts.