CVE-2019-12419

Severity

8.1

Description

Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client.

Related links:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12419

http://cxf.apache.org/security-advisories.data/CVE-2019-12419.txt.asc

Project

Category

Apache CXF OpenId Connect token service does not properly validate the clientId

Tags

data

Date Disclosed

2019-11-06

Date Discovered

2019-05-28

Apache TomEE 8.0.x

First release:

2019-09-13

CVEs:

88

Support Lifecycle:

Namespace:

javax

Apache TomEE 7.1.x

First release:

2018-09-02

CVEs:

81

Support Lifecycle:

Maintenance Support

Namespace:

javax

7.1.0 7.1.1 7.1.2 7.1.3 7.1.4

Apache TomEE 7.0.x

First release:

2016-05-17

CVEs:

111

Support Lifecycle:

Maintenance Support

Namespace:

javax

7.0.0 7.0.1 7.0.2 7.0.3 7.0.4 7.0.5 7.0.6 7.0.7 7.0.8 7.0.9

Apache TomEE 1.7.x

First release:

2014-08-09

CVEs:

95

Support Lifecycle:

Namespace:

javax

1.7.0 1.7.1 1.7.2 1.7.3 1.7.4 1.7.5

Apache TomEE 1.6.x

First release:

2013-11-17

CVEs:

108

Support Lifecycle:

Namespace:

javax

1.6.0 1.6.0.1 1.6.0.2

Apache TomEE 1.5.x

First release:

2012-09-28

CVEs:

119

Support Lifecycle:

Namespace:

javax

1.5.0 1.5.1 1.5.2

Feel Vulnerable?

Contact us so we can help you.

First name ^*
Last name ^*
Email ^*
Company ^*
Product ^*
Heard about us from: ^*
Tell us more ^*

Send me a confirmation email

^* These fields are required.