#VU22576 Improper Authentication in Apache CXF - CVE-2019-12419

Cybersecurity Help s.r.o.

Published: 2019-11-07

Vulnerability identifier: #VU22576

Vulnerability risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-12419

CWE-ID: CWE-287

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache CXF
Server applications / Frameworks for developing and running applications

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due the access token services does not validate that the authenticated principal is equal to that of the supplied "clientId" parameter in the request. A remote authenticated attacker can steal an authorization code issued to another client and obtain an access token for the other client.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache CXF: 2.0.6 - 3.3.3

External links
https://cxf.apache.org/security-advisories.data/CVE-2019-12419.txt.asc

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Oracle FLEXCUBE Private Banking

Multiple vulnerabilities in Oracle Retail Order Broker

Multiple vulnerabilities in Apache CXF