Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.wildfly.security/wildfly-elytron-http-oidc@1.17.0.Final

Type maven

Namespace org.wildfly.security

Name wildfly-elytron-http-oidc

Version 1.17.0.Final

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 2.2.9.Final

Latest_non_vulnerable_version 2.6.2.Final

Affected_by_vulnerabilities

url VCID-etqf-v4yp-4fdu

vulnerability_id VCID-etqf-v4yp-4fdu

summary

WildFly Elytron: OIDC app attempting to access the second tenant, the user should be prompted to log
A flaw was found in JBoss EAP. When an OIDC app that serves multiple tenants attempts to access the second tenant, it should prompt the user to log in again since the second tenant is secured with a different OIDC configuration. The underlying issue is in OidcSessionTokenStore when determining if a cached token should be used or not. This logic needs to be updated to take into account the new "provider-url" option in addition to the "realm" option.

references

reference_url

https://access.redhat.com/errata/RHSA-2024:3580

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-31T17:54:51Z/

url

https://access.redhat.com/errata/RHSA-2024:3580

reference_url

https://access.redhat.com/errata/RHSA-2024:3581

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-31T17:54:51Z/

url

https://access.redhat.com/errata/RHSA-2024:3581

reference_url

https://access.redhat.com/errata/RHSA-2024:3583

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-31T17:54:51Z/

url

https://access.redhat.com/errata/RHSA-2024:3583

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-6236.json

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-6236.json

reference_url

https://access.redhat.com/security/cve/CVE-2023-6236

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-31T17:54:51Z/

url

https://access.redhat.com/security/cve/CVE-2023-6236

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-6236

reference_id

reference_type

scores

value	0.00061
scoring_system	epss
scoring_elements	0.19202
published_at	2026-04-09T12:55:00Z

value	0.00061
scoring_system	epss
scoring_elements	0.19148
published_at	2026-04-08T12:55:00Z

value	0.00061
scoring_system	epss
scoring_elements	0.19068
published_at	2026-04-07T12:55:00Z

value	0.00061
scoring_system	epss
scoring_elements	0.19352
published_at	2026-04-04T12:55:00Z

value	0.00061
scoring_system	epss
scoring_elements	0.19299
published_at	2026-04-02T12:55:00Z

value	0.00061
scoring_system	epss
scoring_elements	0.19162
published_at	2026-04-12T12:55:00Z

value	0.00061
scoring_system	epss
scoring_elements	0.19107
published_at	2026-04-13T12:55:00Z

value	0.00061
scoring_system	epss
scoring_elements	0.19208
published_at	2026-04-11T12:55:00Z

value	0.00061
scoring_system	epss
scoring_elements	0.19066
published_at	2026-04-16T12:55:00Z

value	0.00063
scoring_system	epss
scoring_elements	0.19712
published_at	2026-04-18T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-6236

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=2250812

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-31T17:54:51Z/

url

https://bugzilla.redhat.com/show_bug.cgi?id=2250812

reference_url

https://github.com/wildfly-security/wildfly-elytron

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/wildfly-security/wildfly-elytron

reference_url

https://github.com/wildfly-security/wildfly-elytron/commit/6e94ec3476a279c0a130186209c50a2991ba4c84

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/wildfly-security/wildfly-elytron/commit/6e94ec3476a279c0a130186209c50a2991ba4c84

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-6236

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-6236

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jbosseapxp
reference_id	cpe:/a:redhat:jbosseapxp
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jbosseapxp

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:7
reference_id	cpe:/a:redhat:jboss_enterprise_application_platform:7
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:7

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:8.0
reference_id	cpe:/a:redhat:jboss_enterprise_application_platform:8.0
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:8.0

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
reference_id	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
reference_id	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9

reference_url

https://github.com/advisories/GHSA-jpmx-996v-48fm

reference_id

GHSA-jpmx-996v-48fm

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jpmx-996v-48fm

fixed_packages

url pkg:maven/org.wildfly.security/wildfly-elytron-http-oidc@2.2.3.Final

purl pkg:maven/org.wildfly.security/wildfly-elytron-http-oidc@2.2.3.Final

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-rkxb-8u8q-1ua4

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.wildfly.security/wildfly-elytron-http-oidc@2.2.3.Final

url pkg:maven/org.wildfly.security/wildfly-elytron-http-oidc@2.2.5.Final

purl pkg:maven/org.wildfly.security/wildfly-elytron-http-oidc@2.2.5.Final

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-rkxb-8u8q-1ua4

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.wildfly.security/wildfly-elytron-http-oidc@2.2.5.Final

aliases CVE-2023-6236, GHSA-jpmx-996v-48fm

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-etqf-v4yp-4fdu

url VCID-rkxb-8u8q-1ua4

vulnerability_id VCID-rkxb-8u8q-1ua4

summary

WildFly Elytron OpenID Connect Client ExtensionOIDC authorization code injection attack
### Impact

A vulnerability was found in OIDC-Client. When using the elytron-oidc-client subsystem with WildFly, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack.

### Patches

[2.2.9.Final](https://github.com/wildfly-security/wildfly-elytron/releases/tag/2.2.9.Final)
[2.6.2.Final](https://github.com/wildfly-security/wildfly-elytron/releases/tag/2.6.2.Final)

### Workarounds

Currently, no mitigation is currently available for this vulnerability.

### References

https://nvd.nist.gov/vuln/detail/CVE-2024-12369
https://access.redhat.com/security/cve/CVE-2024-12369	
https://bugzilla.redhat.com/show_bug.cgi?id=2331178
https://issues.redhat.com/browse/ELY-2887

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-12369.json

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-12369.json

reference_url

https://access.redhat.com/security/cve/CVE-2024-12369

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-10T15:29:39Z/

url

https://access.redhat.com/security/cve/CVE-2024-12369

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-12369

reference_id

reference_type

scores

value	0.00081
scoring_system	epss
scoring_elements	0.24055
published_at	2026-04-04T12:55:00Z

value	0.00081
scoring_system	epss
scoring_elements	0.23878
published_at	2026-04-16T12:55:00Z

value	0.00081
scoring_system	epss
scoring_elements	0.23867
published_at	2026-04-18T12:55:00Z

value	0.00081
scoring_system	epss
scoring_elements	0.23923
published_at	2026-04-12T12:55:00Z

value	0.00081
scoring_system	epss
scoring_elements	0.23966
published_at	2026-04-11T12:55:00Z

value	0.00081
scoring_system	epss
scoring_elements	0.2395
published_at	2026-04-09T12:55:00Z

value	0.00081
scoring_system	epss
scoring_elements	0.23904
published_at	2026-04-08T12:55:00Z

value	0.00081
scoring_system	epss
scoring_elements	0.23837
published_at	2026-04-07T12:55:00Z

value	0.00081
scoring_system	epss
scoring_elements	0.24016
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-12369

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=2331178

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-10T15:29:39Z/

url

https://bugzilla.redhat.com/show_bug.cgi?id=2331178

reference_url

https://github.com/wildfly-security/wildfly-elytron

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/wildfly-security/wildfly-elytron

reference_url

https://github.com/wildfly-security/wildfly-elytron/commit/5ac5e6bbcba58883b3cebb2ddbcec4de140c5ceb

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-10T15:29:39Z/

url

https://github.com/wildfly-security/wildfly-elytron/commit/5ac5e6bbcba58883b3cebb2ddbcec4de140c5ceb

reference_url

https://github.com/wildfly-security/wildfly-elytron/commit/d7754f5a6a91ceb0f4dbbbfe301991f6a55404cb

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-10T15:29:39Z/

url

https://github.com/wildfly-security/wildfly-elytron/commit/d7754f5a6a91ceb0f4dbbbfe301991f6a55404cb

reference_url

https://github.com/wildfly-security/wildfly-elytron/pull/2253

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-10T15:29:39Z/

url

https://github.com/wildfly-security/wildfly-elytron/pull/2253

reference_url

https://github.com/wildfly-security/wildfly-elytron/pull/2261

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-10T15:29:39Z/

url

https://github.com/wildfly-security/wildfly-elytron/pull/2261

reference_url

https://github.com/wildfly-security/wildfly-elytron/security/advisories/GHSA-5565-3c98-g6jc

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/wildfly-security/wildfly-elytron/security/advisories/GHSA-5565-3c98-g6jc

reference_url

https://issues.redhat.com/browse/ELY-2887

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://issues.redhat.com/browse/ELY-2887

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-12369

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-12369

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:
reference_id	cpe:/a:redhat:build_keycloak:
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:7
reference_id	cpe:/a:redhat:jboss_enterprise_application_platform:7
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:7

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:8.0
reference_id	cpe:/a:redhat:jboss_enterprise_application_platform:8.0
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:8.0

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
reference_id	cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8

reference_url

https://github.com/advisories/GHSA-5565-3c98-g6jc

reference_id

GHSA-5565-3c98-g6jc

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-5565-3c98-g6jc

fixed_packages

url	pkg:maven/org.wildfly.security/wildfly-elytron-http-oidc@2.2.9.Final
purl	pkg:maven/org.wildfly.security/wildfly-elytron-http-oidc@2.2.9.Final
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.wildfly.security/wildfly-elytron-http-oidc@2.2.9.Final

url	pkg:maven/org.wildfly.security/wildfly-elytron-http-oidc@2.6.2.Final
purl	pkg:maven/org.wildfly.security/wildfly-elytron-http-oidc@2.6.2.Final
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.wildfly.security/wildfly-elytron-http-oidc@2.6.2.Final

aliases CVE-2024-12369, GHSA-5565-3c98-g6jc

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rkxb-8u8q-1ua4

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.wildfly.security/wildfly-elytron-http-oidc@1.17.0.Final

Package Instance