Multiple vulnerabilities in Apache CXF
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2019-12419 CVE-2019-12406 |
| CWE-ID | CWE-287 CWE-399 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Apache CXF Server applications / Frameworks for developing and running applications |
| Vendor | Apache Foundation |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Improper Authentication
EUVDB-ID: #VU22576
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12419
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due the access token services does not validate that the authenticated principal is equal to that of the supplied "clientId" parameter in the request. A remote authenticated attacker can steal an authorization code issued to another client and obtain an access token for the other client.
MitigationInstall updates from vendor's website.
Vulnerable software versionsApache CXF: 2.0.6 - 3.3.3
CPE2.3- cpe:2.3:a:apache_foundation:apache_cxf:3.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.3.1:*:*:*:*:*:*:*
http://cxf.apache.org/security-advisories.data/CVE-2019-12419.txt.asc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Resource management error
EUVDB-ID: #VU22577
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12406
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the affected software does not restrict the number of message attachments present in a given message. A remote authenticated attacker can craft a message containing a very large number of message attachments and cause a denial of service condition on the target system.
Install updates from vendor's website.
Vulnerable software versionsApache CXF: 2.0.6 - 3.3.3
CPE2.3- cpe:2.3:a:apache_foundation:apache_cxf:3.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache_foundation:apache_cxf:3.3.1:*:*:*:*:*:*:*
http://cxf.apache.org/security-advisories.data/CVE-2019-12406.txt.asc
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
