Dex OpenID Connect Authorization Code Interception CVE-2022-39222 (v<2.35.0)
CVE-2022-39222 Published on October 6, 2022
OAuth authorization code exposure in Dex
Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex instances with public clients (and by extension, clients accepting tokens issued by those Dex instances) are affected by this vulnerability if they are running a version prior to 2.35.0. An attacker can exploit this vulnerability by making a victim navigate to a malicious website and guiding them through the OIDC flow, stealing the OAuth authorization code in the process. The authorization code then can be exchanged by the attacker for a token, gaining access to applications accepting that token. Version 2.35.0 has introduced a fix for this issue. Users are advised to upgrade. There are no known workarounds for this issue.
Vulnerability Analysis
CVE-2022-39222 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2022-39222. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2022-39222 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2022-39222
Want to know whenever a new CVE is published for Linux Foundation Dex? stack.watch will email you.
Affected Versions
dexidp dex Version < 2.35.0 is affected by CVE-2022-39222Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.