CVE-2023-6236

Eap: oidc app attempting to access the second tenant, the user should be prompted to log

Severity Score

7.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

A flaw was found in Red Hat Enterprise Application Platform 8. When an OIDC app that serves multiple tenants attempts to access the second tenant, it should prompt the user to log in again since the second tenant is secured with a different OIDC configuration. The underlying issue is in OidcSessionTokenStore when determining if a cached token should be used or not. This logic needs to be updated to take into account the new "provider-url" option in addition to the "realm" option. EAP-7 does not provide the vulnerable provider-url configuration option in its OIDC implementation and is not affected by this flaw.

Se encontró una falla en JBoss EAP. Cuando una aplicación OIDC que atiende a varios inquilinos intenta acceder al segundo inquilino, debería solicitarle al usuario que inicie sesión nuevamente, ya que el segundo inquilino está protegido con una configuración OIDC diferente. El problema subyacente está en OidcSessionTokenStore al determinar si se debe utilizar o no un token almacenado en caché. Esta lógica debe actualizarse para tener en cuenta la nueva opción "proveedor-url" además de la opción "realm".

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-11-21 CVE Reserved
2024-04-10 CVE Published
2024-06-06 EPSS Updated
2024-11-24 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-345: Insufficient Verification of Data Authenticity

CAPEC

References (5)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2024:3580	2024-06-18
https://access.redhat.com/errata/RHSA-2024:3581	2024-06-18
https://access.redhat.com/errata/RHSA-2024:3583	2024-06-18
https://access.redhat.com/security/cve/CVE-2023-6236	2024-06-04
https://bugzilla.redhat.com/show_bug.cgi?id=2250812	2024-06-04

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				*		-		Affected
Redhat Search vendor "Redhat"		Jbosseapxp Search vendor "Redhat" for product "Jbosseapxp"				*		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				*		-		Affected