Flaw in JBoss EAP OIDC Implementation Allows Access to Multiple Tenants Without Logout
CVE-2023-6236

7.3HIGH

Key Information:

Vendor

Red Hat
Status
Red Hat Jboss Enterprise Application Platform 8
Red Hat Jboss Enterprise Application Platform 8.0 For Rhel 8
Red Hat Jboss Enterprise Application Platform 8.0 For Rhel 9
Red Hat Jboss Enterprise Application Platform 7
Vendor
CVE Published:
10 April 2024

What is CVE-2023-6236?

A significant vulnerability exists in Red Hat Enterprise Application Platform 8, impacting applications utilizing OpenID Connect (OIDC) for multi-tenancy. The flaw arises within the OidcSessionTokenStore, where the logic for determining the usage of cached authentication tokens fails to account for the 'provider-url' option associated with different tenants. When a user attempts to switch to a second tenant, the system incorrectly allows the use of the previously cached token instead of requiring a new login, undermining the security of tenant-specific configurations. This oversight necessitates immediate attention for organizations leveraging this platform to ensure proper authentication protocols.

Affected Version(s)

Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 0:4.0.1-1.Final_redhat_00001.1.el8eap

Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 0:2.2.4-2.SP01_redhat_00001.1.el8eap

Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 0:4.0.1-1.Final_redhat_00001.1.el9eap

References

https://access.redhat.com/errata/RHSA-2024:3580
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:3581
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:3583
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.