Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:maven/org.wildfly.security/wildfly-elytron@1.20.3.Final
purl pkg:maven/org.wildfly.security/wildfly-elytron@1.20.3.Final
Next non-vulnerable version 2.2.9.Final
Latest non-vulnerable version 2.6.2.Final
Risk 3.1
Vulnerabilities affecting this package (1)
Vulnerability Summary Fixed by
VCID-rkxb-8u8q-1ua4
Aliases:
CVE-2024-12369
GHSA-5565-3c98-g6jc
WildFly Elytron OpenID Connect Client ExtensionOIDC authorization code injection attack ### Impact A vulnerability was found in OIDC-Client. When using the elytron-oidc-client subsystem with WildFly, authorization code injection attacks can occur, allowing an attacker to inject a stolen authorization code into the attacker's own session with the client with a victim's identity. This is usually done with a Man-in-the-Middle (MitM) or phishing attack. ### Patches [2.2.9.Final](https://github.com/wildfly-security/wildfly-elytron/releases/tag/2.2.9.Final) [2.6.2.Final](https://github.com/wildfly-security/wildfly-elytron/releases/tag/2.6.2.Final) ### Workarounds Currently, no mitigation is currently available for this vulnerability. ### References https://nvd.nist.gov/vuln/detail/CVE-2024-12369 https://access.redhat.com/security/cve/CVE-2024-12369 https://bugzilla.redhat.com/show_bug.cgi?id=2331178 https://issues.redhat.com/browse/ELY-2887
2.2.9.Final
Affected by 0 other vulnerabilities.
2.6.2.Final
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-6ssa-j1q1-c3cs Wildfly-elytron possibly vulnerable to timing attacks via use of unsafe comparator wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses `java.util.Arrays.equals` in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use `java.security.MessageDigest.isEqual` instead. This flaw allows an attacker to access secure information or impersonate an authed user. CVE-2022-3143
GHSA-jmj6-p2j9-68cp

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-16T23:24:54.152922+00:00 GitLab Importer Affected by VCID-rkxb-8u8q-1ua4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.wildfly.security/wildfly-elytron/CVE-2024-12369.yml 38.4.0
2026-04-16T22:19:30.142145+00:00 GitLab Importer Fixing VCID-6ssa-j1q1-c3cs https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.wildfly.security/wildfly-elytron/CVE-2022-3143.yml 38.4.0
2026-04-12T00:44:15.546989+00:00 GitLab Importer Affected by VCID-rkxb-8u8q-1ua4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.wildfly.security/wildfly-elytron/CVE-2024-12369.yml 38.3.0
2026-04-11T23:37:20.841914+00:00 GitLab Importer Fixing VCID-6ssa-j1q1-c3cs https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.wildfly.security/wildfly-elytron/CVE-2022-3143.yml 38.3.0
2026-04-03T00:52:12.449350+00:00 GitLab Importer Affected by VCID-rkxb-8u8q-1ua4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.wildfly.security/wildfly-elytron/CVE-2024-12369.yml 38.1.0
2026-04-02T23:41:42.909579+00:00 GitLab Importer Fixing VCID-6ssa-j1q1-c3cs https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.wildfly.security/wildfly-elytron/CVE-2022-3143.yml 38.1.0
2026-04-02T16:58:46.034145+00:00 GHSA Importer Fixing VCID-6ssa-j1q1-c3cs https://github.com/advisories/GHSA-jmj6-p2j9-68cp 38.1.0
2026-04-01T18:04:20.489686+00:00 GitLab Importer Fixing VCID-6ssa-j1q1-c3cs https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.wildfly.security/wildfly-elytron/CVE-2022-3143.yml 38.0.0
2026-04-01T12:58:00.571498+00:00 GithubOSV Importer Fixing VCID-6ssa-j1q1-c3cs https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-jmj6-p2j9-68cp/GHSA-jmj6-p2j9-68cp.json 38.0.0