CVE-2023-6236 Information
Description
A flaw was found in JBoss EAP. When an OIDC app that serves multiple tenants attempts to access the second tenant it should prompt the user to log in again since the second tenant is secured with a different OIDC configuration. The underlying issue is in OidcSessionTokenStore when determining if a cached token should be used or not. This logic needs to be updated to take into account the new \provider-url\ option in addition to the ealm\ option.
Reference
https://access.redhat.com/security/cve/CVE-2023-6236
https://bugzilla.redhat.com/show_bug.cgi?id=2250812
A
flaw
was
found
in
JBoss
EAP.
When
an
OIDC
app
that
serves
multiple
tenants
attempts
to
access
the
second
tenant
it
should
prompt
the
user
to
log
in
again
since
the
second
tenant
is
secured
with
a
different
OIDC
configuration.
The
underlying
issue
is
in
OidcSessionTokenStore
when
determining
if
a
cached
token
should
be
used
or
not.
This
logic
needs
to
be
updated
to
take
into
account
the
new
\provider-url
option
in
addition
to
the
ealm
option.