-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

CVE-2019-12419: Apache CXF OpenId Connect token service does not properly validate the clientId

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 3.3.4 and
3.2.11.

Description:

Apache CXF provides all of the components that are required to build a fully
fledged OpenId Connect service. There is a vulnerability in the access and
token revocation services, where it does not validate that the authenticated
principal is equal to that of the supplied clientId parameter in the request.

If a malicious client was able to somehow steal an authorization code issued
to another client, then they could exploit this vulnerability to obtain an
access token for the other client.

Mitigation:

Users of Apache CXF that rely on the OpenId Connect service should update to
either the 3.3.4 or 3.2.11 releases.

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE20Xs0ZuXUU9ycQWuZ7+AsQrVOYMFAl3BdRwACgkQZ7+AsQrV
OYOAoQf/c67VXIlmxHEAggIXScrAZ5qzcEqAX/klppO4uvedKt0GA1i3hN3TkOcD
9yXQD8K6rrj+Coy4coyfQmC1QgYOIuUGLrFDGozTpgnsbL788lScTentZYBwztve
eXnusxANuBOjajP915t51+eVpsjwrkTDSysbSX79/6uIdY1K1vDtfxW/eoBhvjpb
wb5Q6Vlg7v+flB1nhHyOxpMA0Xcoa0//w9xS7BrNjfKDfPOcvCXrIH5MyOFy4lSG
Tkwb3yC6FxqqqPHp8hQ/2gyDM/7F0p5zGFQngG1Oi8fwVKzxjDPATC6kQ5amUBo/
Wjmf4a5CPvPRJtzgWQN5xk8wP9YGcQ==
=EGz7
-----END PGP SIGNATURE-----