A vulnerability was found in OIDC-Client. When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.wildfly.security:wildfly-elytron(Maven) | 1.17.0.Final | 2.2.9.Final | N/A |
| org.wildfly.security:wildfly-elytron(Maven) | 2.3.0.Final | 2.6.2.Final | N/A |
| org.wildfly.security:wildfly-elytron-http-oidc(Maven) | 1.17.0.Final | 2.2.9.Final | N/A |
| org.wildfly.security:wildfly-elytron-http-oidc(Maven) | 2.3.0.Final | 2.6.2.Final | N/A |
CVSS Metrics
