| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA512 |
| |
| CVE-2019-12419: Apache CXF OpenId Connect token service does not properly validate the clientId |
| |
| Severity: Moderate |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: |
| |
| This vulnerability affects all versions of Apache CXF prior to 3.3.4 and |
| 3.2.11. |
| |
| Description: |
| |
| Apache CXF provides all of the components that are required to build a fully |
| fledged OpenId Connect service. There is a vulnerability in the access token |
| services, where it does not validate that the authenticated principal is equal |
| to that of the supplied clientId parameter in the request. |
| |
| If a malicious client was able to somehow steal an authorization code issued |
| to another client, then they could exploit this vulnerability to obtain an |
| access token for the other client. |
| |
| Mitigation: |
| |
| Users of Apache CXF that rely on the OpenId Connect service should update to |
| either the 3.3.4 or 3.2.11 releases. |
| -----BEGIN PGP SIGNATURE----- |
| |
| iQEzBAEBCgAdFiEE20Xs0ZuXUU9ycQWuZ7+AsQrVOYMFAl3Be5UACgkQZ7+AsQrV |
| OYNv2Qf+MBH5C4PCZNtTmZf+zH7qqnKJX4z4a7weR/tIXEOlqZtCu8AWn1DZ7pWK |
| XY2aWZ7tYQAmzyvEXzPG2A7eahM2s5lAlB+MhKqmQT/L+mRhzo1liwFaNQjT+/cU |
| xRTARrp3sTbfGqtMJDklwcugh01MkXMxhsYrESyJ1BI06hwdyQyj5Hd+ZoWlEjAH |
| PVZNg19bL8kt4pRfdzlo83Qh2E83xVe9bTSJmf+DM7SZGmM3y38bk6bW2o47nOik |
| jFY7mRvenB7f08ESSNYV1cTrnTUWQQ0PlAUBAwgXRmQx/4qUHbPUV8Q1r8vmvlRl |
| xpBoVT82AXWNefwzXO/RE2j/mB4rWA== |
| =uV2d |
| -----END PGP SIGNATURE----- |