Skip to main content

CVE-2019-12419

Severity

8.1

Description

Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client.

Project

Apache TomEE

Category
Apache CXF OpenId Connect token service does not properly validate the clientId
Tags
data
Date Disclosed

2019-11-06

Date Discovered

2019-05-28

Apache TomEE 8.0.x

First release:
2019-09-13
CVEs:
74
Support Lifecycle:
Namespace:
javax

Apache TomEE 7.1.x

First release:
2018-09-02
CVEs:
68
Support Lifecycle:
Namespace:
javax

Apache TomEE 7.0.x

First release:
2016-05-17
CVEs:
100
Support Lifecycle:
Namespace:
javax

Apache TomEE 1.7.x

First release:
2014-08-09
CVEs:
87
Support Lifecycle:
Namespace:
javax

Apache TomEE 1.6.x

First release:
2013-11-17
CVEs:
101
Support Lifecycle:
Namespace:
javax

Apache TomEE 1.5.x

First release:
2012-09-28
CVEs:
111
Support Lifecycle:
Namespace:
javax
Feel Vulnerable? 

Contact us so we can help you.

* These fields are required.