Vulnerabilities > CVE-2019-12419 - Incorrect Authorization vulnerability in multiple products

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

apache

oracle

CWE-863

critical

NVD

Published: 2019-11-06

Updated: 2023-11-07

Summary

Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client.

Vulnerable Configurations

Part	Description	Count
Application	Apache Apache CXF 3.2.0 Apache CXF 3.2.1 Apache CXF 3.2.2 Apache CXF 3.2.3 Apache CXF 3.2.4 Apache CXF 3.2.5 Apache CXF 3.2.6 Apache CXF 3.2.7 Apache CXF 3.2.8 Apache CXF 3.2.9 Apache CXF 3.2.10 Apache CXF 3.3.0 Apache CXF 3.3.1 Apache CXF 3.3.2 Apache CXF 3.3.3	15
Application	Oracle Oracle Flexcube Private Banking 12.1.0 Oracle Flexcube Private Banking 12.0.0 Oracle Retail Order Broker 15.0 Oracle Enterprise Manager Base Platform 13.2.1.0 Oracle Commerce Guided Search 11.3.2	5

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References