Vulnerability Name: CVE-2019-12419 (CCN-170975) Assigned: 2019-11-05 Published: 2019-11-05 Updated: 2021-06-17 Summary: Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client. CVSS v3 Severity: 9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): HighPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): NoneIntegrity (I): HighAvailibility (A): None
CVSS v2 Severity: 7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): PartialAvailibility (A): Partial
5.4 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:C/A:N Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): HighAthentication (Au): NoneImpact Metrics: Confidentiality (C): NoneIntegrity (I): CompleteAvailibility (A): None
Vulnerability Type: CWE-863 Vulnerability Consequences: Bypass Security References: Source: MITRECVE-2019-12419 http://cxf.apache.org/security-advisories.data/CVE-2019-12419.txt.asc CXF apache-cve201912419-sec-bypass(170975) [cxf-commits] 20200319 svn commit: r1058035 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html [cxf-dev] 20201102 Re: CVE-2019-12419 [cxf-commits] 20200116 svn commit: r1055336 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-12423.txt.asc security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html [cxf-commits] 20201112 svn commit: r1067927 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2020-13954.txt.asc security-advisories.html [cxf-dev] 20201103 Re: CVE-2019-12419 [cxf-commits] 20210402 svn commit: r1073270 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2021-22696.txt.asc security-advisories.html [cxf-dev] 20201030 CVE-2019-12419 [cxf-commits] 20210616 svn commit: r1075801 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2021-30468.txt.asc security-advisories.html [cxf-commits] 20200401 svn commit: r1058573 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2020-1954.txt.asc security-advisories.html [CVE-2019-12419] Apache CXF OpenId Connect token service does not properly validate the clientId Apache CXF (Publicly disclosed vulnerability) IBM QRadar SIEM is vulnerable to Using Components with Known Vulnerabilities Oracle Critical Patch Update Advisory - April 2020 N/A https://www.oracle.com/security-alerts/cpuApr2021.html Oracle Critical Patch Update Advisory - January 2020 https://www.oracle.com/security-alerts/cpujan2020.html https://www.oracle.com/security-alerts/cpuoct2020.html Vulnerable Configuration: Configuration 1 :cpe:/a:apache:cxf:*:*:*:*:*:*:*:* (Version >= 3.2.0 and < 3.2.11)OR cpe:/a:apache:cxf:*:*:*:*:*:*:*:* (Version >= 3.3.0 and < 3.3.4) Configuration 2 :cpe:/a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:* OR cpe:/a:oracle:enterprise_manager_base_platform:13.2.1.0:*:*:*:*:*:*:* OR cpe:/a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:* OR cpe:/a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:apache:cxf:3.2.11:*:*:*:*:*:*:* OR cpe:/a:apache:cxf:3.3.3:*:*:*:*:*:*:* AND cpe:/a:oracle:retail_order_broker_cloud_service:15.0:*:*:*:*:*:*:* OR cpe:/a:oracle:flexcube_private_banking:12.0:*:*:*:*:*:*:* OR cpe:/a:oracle:flexcube_private_banking:12.1:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.0:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.3.0:*:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.0:-:*:*:*:*:*:* OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.1:-:*:*:*:*:*:* BACK
apache cxf *
apache cxf *
oracle commerce guided search 11.3.2
oracle enterprise manager base platform 13.2.1.0
oracle flexcube private banking 12.0.0
oracle flexcube private banking 12.1.0
oracle retail order broker 15.0
apache cxf 3.2.11
apache cxf 3.3.3
oracle retail order broker cloud service 15.0
oracle flexcube private banking 12.0
oracle flexcube private banking 12.1
ibm qradar security information and event manager 7.3.0
ibm tivoli application dependency discovery manager 7.3.0
ibm qradar security information and event manager 7.4.0
ibm qradar security information and event manager 7.4.1 -
Denotes that component is vulnerable