CVE-2019-12419
First published: Wed Nov 06 2019(Updated: )
Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/cxf | <3.3.4 | 3.3.4 |
| redhat/cxf | <3.2.11 | 3.2.11 |
| Apache CXF | >=3.2.0<3.2.11 | |
| Apache CXF | >=3.3.0<3.3.4 | |
| Oracle Commerce Guided Search | =11.3.2 | |
| Oracle Enterprise Manager Base Platform | =13.2.1.0 | |
| Oracle FLEXCUBE Private Banking | =12.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0 | |
| Oracle Retail Order Broker | =15.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://cxf.apache.org/security-advisories.data/CVE-2019-12419.txt.asc
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/r861eb1a9e0250e9150215b17f0263edf62becd5e20fc96251cff59f6@%3Cdev.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/re7593a274ee0a85d304d5d42c66fc0081c94d7f22bc96a1084d43b80@%3Cdev.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/ree5fc719e330f82ae38a2b0050c91f18ed5b878312dc0b9e0b9815be@%3Cdev.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1816176
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://access.redhat.com/errata/RHSA-2020:2067
- https://access.redhat.com/security/cve/cve-2019-12419
- https://access.redhat.com/errata/RHSA-2020:2333
- https://bugzilla.redhat.com/show_bug.cgi?id=1816175
- https://www.cve.org/CVERecord?id=CVE-2019-12419 https://nvd.nist.gov/vuln/detail/CVE-2019-12419
- https://access.redhat.com/errata/RHSA-2020:3192
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2019-12419?
CVE-2019-12419 is a vulnerability in cxf versions prior to 3.2.11 and 3.3.4 that allows unauthenticated attackers to pass an access token service validation by supplying a client ID parameter.
How severe is CVE-2019-12419?
CVE-2019-12419 has a severity rating of 9.8 out of 10, indicating it is critical.
Which software versions are affected by CVE-2019-12419?
CVE-2019-12419 affects Apache CXF versions up to 3.2.11 and 3.3.4, Oracle Commerce Guided Search 11.3.2, Oracle Enterprise Manager Base Platform 13.2.1.0, Oracle FLEXCUBE Private Banking 12.0.0 and 12.1.0, and Oracle Retail Order Broker 15.0.
How can I fix the CVE-2019-12419 vulnerability?
To fix the CVE-2019-12419 vulnerability, upgrade Apache CXF to version 3.2.11 or 3.3.4.
Where can I find more information about CVE-2019-12419?
You can find more information about CVE-2019-12419 in the official Apache CXF security advisories, Red Hat Bugzilla, and Red Hat support policy updates.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-12419
- agent/software-canonical-lookup
- collector/redhat-cve
- vendor/apache
- canonical/apache cxf
- version/apache cxf/3.2.0
- version/apache cxf/3.3.0
- vendor/oracle
- canonical/oracle commerce guided search
- version/oracle commerce guided search/11.3.2
- canonical/oracle enterprise manager base platform
- version/oracle enterprise manager base platform/13.2.1.0
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/12.0.0
- version/oracle flexcube private banking/12.1.0
- canonical/oracle retail order broker
- version/oracle retail order broker/15.0
- package-manager/redhat