Improper Authorization in JBoss Enterprise Application Platform - CVE-2023-6236

 

Improper Authorization in JBoss Enterprise Application Platform - CVE-2023-6236

Published: June 19, 2024


Vulnerability identifier: #VU92281
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-6236
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Red Hat Inc.
Affected software:
JBoss Enterprise Application Platform

Detailed vulnerability description

The vulnerability allows a remote user to bypass certain security restrictions.

The vulnerability exists in the OidcSessionTokenStore when determining if a cached token should be used or not. When an OIDC app that serves multiple tenants attempts to access the second tenant, it should prompt the user to log in again since the second tenant is secured with a different OIDC configuration. A remote user can gain unauthorized access to the second tenant.


How to mitigate CVE-2023-6236

Install updates from vendor's website.

Sources