Bug 2250812 (CVE-2023-6236) - CVE-2023-6236 JBoss EAP: OIDC app attempting to access the second tenant, the user should be prompted to log
Summary: CVE-2023-6236 JBoss EAP: OIDC app attempting to access the second tenant, the...
Keywords:
Status: NEW
Alias: CVE-2023-6236
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2250808
TreeView+ depends on / blocked
 
Reported: 2023-11-21 09:35 UTC by Rohit Keshri
Modified: 2024-04-15 17:46 UTC (History)
24 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in JBoss EAP. When an OIDC app that serves multiple tenants attempts to access the second tenant, it should prompt the user to log in again since the second tenant is secured with a different OIDC configuration. The underlying issue is in OidcSessionTokenStore when determining if a cached token should be used or not. This logic needs to be updated to take into account the new "provider-url" option in addition to the "realm" option.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Rohit Keshri 2023-11-21 09:35:26 UTC 
When attempting to access the second tenant, the user should be prompted to log in again since the second tenant is secured with different OIDC configuration (e.g., with a different Keycloak realm).

The underlying issue is a bug in OidcSessionTokenStore when determining if a cached token should be used or not. This logic needs to be updated to take into account the new "provider-url" option in addition to the "realm" option.
Note You need to log in before you can comment on or make changes to this bug.