CVE-2019-12423

Name of the Vulnerable Software and Affected Versions: Apache CXF versions prior to 3.2.12 Apache CXF versions prior to 3.3.5

Description: The issue is related to the OpenId Connect JWK Keys service in Apache CXF, which can return private key and secret key credentials if the user has configured the signature keystore file with such credentials. This poses a significant security risk. The service typically obtains the public key from a local keystore, but it can also obtain keys from a JWK keystore file by setting the rs.security.keystore.type parameter to jwk.

Recommendations: For versions prior to 3.2.12, update to version 3.2.12 or later to ensure that only the specified key is returned and private key information is omitted by default. For versions prior to 3.3.5, update to version 3.3.5 or later to ensure that only the specified key is returned and private key information is omitted by default. As a temporary workaround, consider disabling the use of JWK keystore files or restricting access to the rs.security.keystore.type configuration parameter to minimize the risk of exploitation.