apache cxf CVE-2019-12419 in Apache and Oracle Products
Published on November 6, 2019

product logo product logo
Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client.

NVD


Products Associated with CVE-2019-12419

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2019-12419 are published in these products:

Apache CXF
 
Oracle Commerce Guided Search
 
Oracle Enterprise Manager Base Platform
 
Oracle Flexcube Private Banking
 
Oracle Retail Order Broker
 

Affected Versions

Apache CXF Version versions before 3.3.4 and 3.2.11 is affected by CVE-2019-12419

Exploit Probability

EPSS
18.00%
Percentile
94.99%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.