CVE-2019-12419

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-12419

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12419.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2019-12419

Aliases

GHSA-cw6w-q88j-6mqf

Published

2019-11-06T21:15:11Z

Modified

2024-09-03T02:24:18.869659Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client.

References

Affected packages

Git / github.com/apache/cxf

Affected ranges

Type: GIT
Repo: https://github.com/apache/cxf
Events: Introduced

f5ee3b786e22a081121eeebbba6d02fa9f4e7206

Fixed

da2d27d97f9e9abd7d307e2224e5e0338b767ee2

Affected versions

cxf-3.*

cxf-3.2.0

cxf-3.2.1

cxf-3.2.10

cxf-3.2.2

cxf-3.2.3

cxf-3.2.4

cxf-3.2.5

cxf-3.2.6

cxf-3.2.7

cxf-3.2.8

cxf-3.2.9