Main Vulnerability Database Vulnerabilities #VU22576

Improper Authentication in Apache CXF - CVE-2019-12419

Published: November 7, 2019

Vulnerability identifier: #VU22576

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-12419

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Apache Foundation

Affected software:
Apache CXF

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due the access token services does not validate that the authenticated principal is equal to that of the supplied "clientId" parameter in the request. A remote authenticated attacker can steal an authorization code issued to another client and obtain an access token for the other client.

How to mitigate CVE-2019-12419

Install updates from vendor's website.

Sources

http://cxf.apache.org/security-advisories.data/CVE-2019-12419.txt.asc

Improper Authentication in Apache CXF - CVE-2019-12419

Detailed vulnerability description

How to mitigate CVE-2019-12419

Sources

Please verify you're human