SB2019110708 - Multiple vulnerabilities in Apache CXF 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019110708

SB2019110708 - Multiple vulnerabilities in Apache CXF

Published: November 7, 2019

Security Bulletin ID SB2019110708
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Improper Authentication (CVE-ID: CVE-2019-12419)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due the access token services does not validate that the authenticated principal is equal to that of the supplied "clientId" parameter in the request. A remote authenticated attacker can steal an authorization code issued to another client and obtain an access token for the other client.


2) Resource management error (CVE-ID: CVE-2019-12406)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the affected software does not restrict the number of message attachments present in a given message. A remote authenticated attacker can craft a message containing a very large number of message attachments and cause a denial of service condition on the target system.



Remediation

Install update from vendor's website.

References