CVE-2019-12419
First published: Wed Nov 06 2019(Updated: )
A flaw was found in cxf in versions prior to 3.2.11 and 3.3.4. The access token services do not properly validate that an authenticated principal is equal to that of the supplied clientId parameter allowing a malicious client to use an authorization code that has been issued to a different client as their own. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/cxf | <3.3.4 | 3.3.4 |
| redhat/cxf | <3.2.11 | 3.2.11 |
| Apache CXF | >=3.2.0<3.2.11 | |
| Apache CXF | >=3.3.0<3.3.4 | |
| Oracle Commerce Guided Search | =11.3.2 | |
| Oracle Enterprise Manager Base Platform | =13.2.1.0 | |
| Oracle FLEXCUBE Private Banking | =12.0.0 | |
| Oracle FLEXCUBE Private Banking | =12.1.0 | |
| Oracle Retail Order Broker | =15.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-12419 https://nvd.nist.gov/vuln/detail/CVE-2019-12419
- https://bugzilla.redhat.com/show_bug.cgi?id=1816175
- https://access.redhat.com/errata/RHSA-2020:2333
- https://access.redhat.com/errata/RHSA-2020:3192
- https://access.redhat.com/errata/RHSA-2020:2067
- https://access.redhat.com/security/cve/cve-2019-12419
- http://cxf.apache.org/security-advisories.data/CVE-2019-12419.txt.asc
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/r861eb1a9e0250e9150215b17f0263edf62becd5e20fc96251cff59f6@%3Cdev.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/re7593a274ee0a85d304d5d42c66fc0081c94d7f22bc96a1084d43b80@%3Cdev.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/ree5fc719e330f82ae38a2b0050c91f18ed5b878312dc0b9e0b9815be@%3Cdev.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1816176
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/ree5fc719e330f82ae38a2b0050c91f18ed5b878312dc0b9e0b9815be%40%3Cdev.cxf.apache.org%3E
- https://lists.apache.org/thread.html/r861eb1a9e0250e9150215b17f0263edf62becd5e20fc96251cff59f6%40%3Cdev.cxf.apache.org%3E
- https://lists.apache.org/thread.html/re7593a274ee0a85d304d5d42c66fc0081c94d7f22bc96a1084d43b80%40%3Cdev.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E
- https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2019-12419?
CVE-2019-12419 is a vulnerability in cxf versions prior to 3.2.11 and 3.3.4 that allows unauthenticated attackers to pass an access token service validation by supplying a client ID parameter.
How severe is CVE-2019-12419?
CVE-2019-12419 has a severity rating of 9.8 out of 10, indicating it is critical.
Which software versions are affected by CVE-2019-12419?
CVE-2019-12419 affects Apache CXF versions up to 3.2.11 and 3.3.4, Oracle Commerce Guided Search 11.3.2, Oracle Enterprise Manager Base Platform 13.2.1.0, Oracle FLEXCUBE Private Banking 12.0.0 and 12.1.0, and Oracle Retail Order Broker 15.0.
How can I fix the CVE-2019-12419 vulnerability?
To fix the CVE-2019-12419 vulnerability, upgrade Apache CXF to version 3.2.11 or 3.3.4.
Where can I find more information about CVE-2019-12419?
You can find more information about CVE-2019-12419 in the official Apache CXF security advisories, Red Hat Bugzilla, and Red Hat support policy updates.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/references
- agent/author
- agent/severity
- agent/weakness
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-12419
- agent/software-canonical-lookup
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache cxf
- version/apache cxf/3.2.0
- version/apache cxf/3.3.0
- vendor/oracle
- canonical/oracle commerce guided search
- version/oracle commerce guided search/11.3.2
- canonical/oracle enterprise manager base platform
- version/oracle enterprise manager base platform/13.2.1.0
- canonical/oracle flexcube private banking
- version/oracle flexcube private banking/12.0.0
- version/oracle flexcube private banking/12.1.0
- canonical/oracle retail order broker
- version/oracle retail order broker/15.0
- package-manager/redhat