GHSA-cw6w-q88j-6mqf

Source

https://github.com/advisories/GHSA-cw6w-q88j-6mqf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-cw6w-q88j-6mqf/GHSA-cw6w-q88j-6mqf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-cw6w-q88j-6mqf

Aliases

CVE-2019-12419

Published

2019-11-08T17:12:59Z

Modified

2023-11-08T04:01:05.028528Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Potential session hijack in Apache CXF

Details

Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client.

Database specific

{
    "nvd_published_at": "2019-11-06T21:15:00Z",
    "github_reviewed_at": "2019-11-07T23:18:50Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-863"
    ]
}

References

Affected packages

Maven / org.apache.cxf:cxf

Package

Name: org.apache.cxf:cxf; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cxf/cxf

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.2.11

Affected versions

2.*

2.0.6

2.0.7

2.0.8

2.0.9

2.0.10

2.0.11

2.0.12

2.0.13

2.1

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.1.10

2.2

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.2.11

2.2.12

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.3.10

2.3.11

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.4.7

2.4.8

2.4.9

2.4.10

2.5.0

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.5.6

2.5.7

2.5.8

2.5.9

2.5.10

2.5.11

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

2.6.8

2.6.9

2.6.10

2.6.11

2.6.12

2.6.13

2.6.14

2.6.15

2.6.16

2.6.17

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.7.6

2.7.7

2.7.8

2.7.9

2.7.10

2.7.11

2.7.12

2.7.13

2.7.14

2.7.15

2.7.16

2.7.17

2.7.18

3.*

3.0.0-milestone1

3.0.0-milestone2

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.7

3.0.8

3.0.9

3.0.10

3.0.11

3.0.12

3.0.13

3.0.14

3.0.15

3.0.16

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

3.1.11

3.1.12

3.1.13

3.1.14

3.1.15

3.1.16

3.1.17

3.1.18

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.2.5

3.2.6

3.2.7

3.2.8

3.2.9

3.2.10

Maven / org.apache.cxf:cxf

Package

Name: org.apache.cxf:cxf; View open source insights on deps.dev
Purl: pkg:maven/org.apache.cxf/cxf

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.3.0

Fixed

3.3.4

Affected versions

3.*

3.3.0

3.3.1

3.3.2

3.3.3