When using the RH SSO OIDC adapter with EAP 7.x or when using the elytron-oidc-client subsystem with EAP 8.x, there is a potential for authorization code injection attacks. That means that an attacker can inject a stolen authorization code into the attacker's own session with the client. This allows the attacker to associate its session with the client with a victim's identity. Requirements to exploit: * The attacker needs to obtain an authorization code from an authorization response sent to the client. * The attacker can then access the application and start the login process with the legitimate client. * In the response of the OpenID provider to the legitimate client, the attacker can replace the newly sent authorization code with the previously stolen authorization code. * The legitimate client will send that stolen authorization code and along with its credentials to the OpenID provider to exchange the code for a token. * The OpenID provider's checks will succeed and a token will be issued to the client. * The attacker has now associated their session with the legitimate client with the victim's identity.
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Via RHSA-2025:3989 https://access.redhat.com/errata/RHSA-2025:3989
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Via RHSA-2025:3990 https://access.redhat.com/errata/RHSA-2025:3990
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2025:3992 https://access.redhat.com/errata/RHSA-2025:3992