Flaw in JBoss EAP OIDC Implementation Allows Access to Multiple Tenants Without Logout
CVE-2023-6236
Key Information:
What is CVE-2023-6236?
A significant vulnerability exists in Red Hat Enterprise Application Platform 8, impacting applications utilizing OpenID Connect (OIDC) for multi-tenancy. The flaw arises within the OidcSessionTokenStore, where the logic for determining the usage of cached authentication tokens fails to account for the 'provider-url' option associated with different tenants. When a user attempts to switch to a second tenant, the system incorrectly allows the use of the previously cached token instead of requiring a new login, undermining the security of tenant-specific configurations. This oversight necessitates immediate attention for organizations leveraging this platform to ensure proper authentication protocols.
Affected Version(s)
Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 0:4.0.1-1.Final_redhat_00001.1.el8eap
Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 0:2.2.4-2.SP01_redhat_00001.1.el8eap
Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 0:4.0.1-1.Final_redhat_00001.1.el9eap