4.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-12369

GHSA ID

GHSA-5565-3c98-g6jc

EPSS Score

0.10064%

CWE

CWE-345

Published

3/25/2025

Updated

3/25/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-12369

CVE-2024-12369: WildFly Elytron OpenID Connect Client ExtensionOIDC authorization code injection attack

Impact

A vulnerability was found in OIDC-Client. When using the elytron-oidc-client subsystem with WildFly, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.

Patches

2.2.9.Final 2.6.2.Final

Workarounds

Currently, no mitigation is currently available for this vulnerability.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-12369 https://access.redhat.com/security/cve/CVE-2024-12369 https://bugzilla.redhat.com/show_bug.cgi?id=2331178 https://issues.redhat.com/browse/ELY-2887

(GitHub Advisory)

4.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-12369

GHSA ID

GHSA-5565-3c98-g6jc

EPSS Score

0.10064%

CWE

CWE-345

Published

3/25/2025

Updated

3/25/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.wildfly.security:wildfly-elytron	maven
org.wildfly.security:wildfly-elytron	maven
org.wildfly.security:wildfly-elytron-http-oidc	maven
org.wildfly.security:wildfly-elytron-http-oidc	maven

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing nonce validation in the OIDC authorization code flow. The patch adds nonce generation in OidcRequestAuthenticator (via getRedirectUri()) and validation in TokenValidator (via NonceValidator). The absence of these checks in the original code allowed authorization code injection. The functions handling the authorization request construction (getRedirectUri()) and token validation (parseAndVerifyToken()) were directly involved in the missing security checks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * vuln*r**ility w*s *oun* in OI**-*li*nt. W**n usin* t** *lytron-oi**-*li*nt su*syst*m wit* Wil**ly, *ut*oriz*tion *o** inj**tion *tt**ks **n o**ur, *llowin* *n *tt**k*r to inj**t * stol*n *ut*oriz*tion *o** into t** *tt**k*r's own s*ssio

Reasoning

T** vuln*r**ility st*ms *rom missin* non** v*li**tion in t** OI** *ut*oriz*tion *o** *low. T** p*t** ***s non** **n*r*tion in `Oi**R*qu*st*ut**nti**tor` (vi* `**tR**ir**tUri()`) *n* v*li**tion in `Tok*nV*li**tor` (vi* `Non**V*li**tor`). T** **s*n** o

4.2

Basic Information

Concerned about an active attack path?

CVE-2024-12369: WildFly Elytron OpenID Connect Client ExtensionOIDC authorization code injection attack

Impact

Patches

Workarounds

References

4.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI