CVE-2019-12419

CRITICAL

Oracle Retail Order Broker - Incorrect Authorization in OpenId Connect Access Token Service

Title source: llm

Description

Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client.

References (14)

Core 14

Core References

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuapr2020.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujan2020.html

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuoct2020.html

Vendor Advisory x_refsource_confirm

http://cxf.apache.org/security-advisories.data/CVE-2019-12419.txt.asc

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/ree5fc719e330f82ae38a2b0050c91f18ed5b878312dc0b9e0b9815be%40%3Cdev.cxf.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/r861eb1a9e0250e9150215b17f0263edf62becd5e20fc96251cff59f6%40%3Cdev.cxf.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/re7593a274ee0a85d304d5d42c66fc0081c94d7f22bc96a1084d43b80%40%3Cdev.cxf.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuApr2021.html

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E

Scores

CVSS v3 9.8

EPSS 0.1104

EPSS Percentile 93.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-863

Status published

Products (7)

apache/cxf 3.2.0 - 3.2.11

oracle/commerce_guided_search 11.3.2

oracle/enterprise_manager_base_platform 13.2.1.0

oracle/flexcube_private_banking 12.0.0

oracle/flexcube_private_banking 12.1.0

oracle/retail_order_broker 15.0

org.apache.cxf/cxf 0 - 3.2.11Maven

Published Nov 06, 2019

Tracked Since Feb 18, 2026