Main Vulnerability Database Vulnerabilities #VU22576

#VU22576 Improper Authentication in Apache CXF - CVE-2019-12419

Published: November 7, 2019

Vulnerability identifier: #VU22576

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-12419

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Apache CXF

Software vendor:
Apache Foundation

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due the access token services does not validate that the authenticated principal is equal to that of the supplied "clientId" parameter in the request. A remote authenticated attacker can steal an authorization code issued to another client and obtain an access token for the other client.

Remediation

Install updates from vendor's website.

External links

http://cxf.apache.org/security-advisories.data/CVE-2019-12419.txt.asc

#VU22576 Improper Authentication in Apache CXF - CVE-2019-12419

Description

Remediation

External links

Please verify you're human