CVE-2019-12419

Name of the Vulnerable Software and Affected Versions Apache CXF versions prior to 3.3.4 and 3.2.11

Description The issue is related to the OpenId Connect service in Apache CXF, where the access token service does not properly validate the authenticated principal against the supplied clientId parameter in the request. This could allow a malicious client to exploit the vulnerability and obtain an access token for another client if they can steal an authorization code. The vulnerability is associated with weaknesses in the authentication procedure, which can be exploited by a remote attacker to gain unauthorized access to protected information.

Recommendations For versions prior to 3.3.4 and 3.2.11, update to version 3.3.4 or 3.2.11 or later to resolve the issue. As a temporary workaround, consider restricting access to the OpenId Connect service to minimize the risk of exploitation.