-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2019-12419: Apache CXF OpenId Connect token service does not properly validate the clientId

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 3.3.4 and
3.2.11.

Description:

Apache CXF provides all of the components that are required to build a fully
fledged OpenId Connect service. There is a vulnerability in the access token
services, where it does not validate that the authenticated principal is equal
to that of the supplied clientId parameter in the request.

If a malicious client was able to somehow steal an authorization code issued
to another client, then they could exploit this vulnerability to obtain an
access token for the other client.

Mitigation:

Users of Apache CXF that rely on the OpenId Connect service should update to
either the 3.3.4 or 3.2.11 releases.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE20Xs0ZuXUU9ycQWuZ7+AsQrVOYMFAl3Be5UACgkQZ7+AsQrV
OYNv2Qf+MBH5C4PCZNtTmZf+zH7qqnKJX4z4a7weR/tIXEOlqZtCu8AWn1DZ7pWK
XY2aWZ7tYQAmzyvEXzPG2A7eahM2s5lAlB+MhKqmQT/L+mRhzo1liwFaNQjT+/cU
xRTARrp3sTbfGqtMJDklwcugh01MkXMxhsYrESyJ1BI06hwdyQyj5Hd+ZoWlEjAH
PVZNg19bL8kt4pRfdzlo83Qh2E83xVe9bTSJmf+DM7SZGmM3y38bk6bW2o47nOik
jFY7mRvenB7f08ESSNYV1cTrnTUWQQ0PlAUBAwgXRmQx/4qUHbPUV8Q1r8vmvlRl
xpBoVT82AXWNefwzXO/RE2j/mB4rWA==
=uV2d
-----END PGP SIGNATURE-----