Improper Authorization in JBoss Enterprise Application Platform - CVE-2023-6236
Published: June 19, 2024
Vulnerability identifier: #VU92281
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-6236
CWE-ID: CWE-285
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
JBoss Enterprise Application Platform
JBoss Enterprise Application Platform
Software vendor:
Red Hat Inc.
Red Hat Inc.
Description
The vulnerability allows a remote user to bypass certain security restrictions.
The vulnerability exists in the OidcSessionTokenStore when determining if a cached token should be used or not. When an OIDC app that serves multiple tenants attempts to access the
second tenant, it should prompt the user to log in again since the
second tenant is secured with a different OIDC configuration. A remote user can gain unauthorized access to the second tenant.
Remediation
Install updates from vendor's website.