First published: Wed Nov 06 2019(Updated: )
Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client.
Credit: security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/cxf | <3.3.4 | 3.3.4 |
redhat/cxf | <3.2.11 | 3.2.11 |
Apache CXF | >=3.2.0<3.2.11 | |
Apache CXF | >=3.3.0<3.3.4 | |
Oracle Commerce Guided Search | =11.3.2 | |
Oracle Enterprise Manager Base Platform | =13.2.1.0 | |
Oracle FLEXCUBE Private Banking | =12.0.0 | |
Oracle FLEXCUBE Private Banking | =12.1.0 | |
Oracle Retail Order Broker | =15.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2019-12419 is a vulnerability in cxf versions prior to 3.2.11 and 3.3.4 that allows unauthenticated attackers to pass an access token service validation by supplying a client ID parameter.
CVE-2019-12419 has a severity rating of 9.8 out of 10, indicating it is critical.
CVE-2019-12419 affects Apache CXF versions up to 3.2.11 and 3.3.4, Oracle Commerce Guided Search 11.3.2, Oracle Enterprise Manager Base Platform 13.2.1.0, Oracle FLEXCUBE Private Banking 12.0.0 and 12.1.0, and Oracle Retail Order Broker 15.0.
To fix the CVE-2019-12419 vulnerability, upgrade Apache CXF to version 3.2.11 or 3.3.4.
You can find more information about CVE-2019-12419 in the official Apache CXF security advisories, Red Hat Bugzilla, and Red Hat support policy updates.