{"id":"CVE-2019-12419","details":"Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client.","aliases":["GHSA-cw6w-q88j-6mqf"],"modified":"2026-04-10T04:12:02.515180Z","published":"2019-11-06T21:15:11.243Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r861eb1a9e0250e9150215b17f0263edf62becd5e20fc96251cff59f6%40%3Cdev.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/re7593a274ee0a85d304d5d42c66fc0081c94d7f22bc96a1084d43b80%40%3Cdev.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ree5fc719e330f82ae38a2b0050c91f18ed5b878312dc0b9e0b9815be%40%3Cdev.cxf.apache.org%3E"},{"type":"ADVISORY","url":"http://cxf.apache.org/security-advisories.data/CVE-2019-12419.txt.asc"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2020.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/cxf","events":[{"introduced":"f5ee3b786e22a081121eeebbba6d02fa9f4e7206"},{"fixed":"da2d27d97f9e9abd7d307e2224e5e0338b767ee2"},{"introduced":"8f90e00177d464541e99ed61238cbc52cff0846d"},{"fixed":"fbd2dbf5fecbac7343b9fe442a10e75cfb9f7471"}],"database_specific":{"versions":[{"introduced":"3.2.0"},{"fixed":"3.2.11"},{"introduced":"3.3.0"},{"fixed":"3.3.4"}]}}],"versions":["cxf-3.2.0","cxf-3.2.1","cxf-3.2.10","cxf-3.2.2","cxf-3.2.3","cxf-3.2.4","cxf-3.2.5","cxf-3.2.6","cxf-3.2.7","cxf-3.2.8","cxf-3.2.9","cxf-3.3.0","cxf-3.3.1","cxf-3.3.2","cxf-3.3.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12419.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"11.3.2"}]},{"events":[{"introduced":"0"},{"last_affected":"13.2.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.0.0"}]},{"events":[{"introduced":"0"},{"last_affected":"12.1.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}