← Back to CVE List

CVE-2019-12419

Published: 2019-11-06T21:15Z
Last Modified: 2024-11-21T04:22Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt