Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client. Reference: http://cxf.apache.org/security-advisories.data/CVE-2019-12419.txt.asc
Created cxf tracking bugs for this issue: Affects: fedora-all [bug 1816176]
This vulnerability is out of security support scope for the following products: * Red Hat Jboss Fuse 6 * Red Hat JBoss BPM Suite 6 * Red Hat JBoss BRMS 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-12419
This issue has been addressed in the following products: EAP-CD 19 Tech Preview Via RHSA-2020:2333 https://access.redhat.com/errata/RHSA-2020:2333