VYPR
← All advisories
Critical severityNVD Advisory· Published Nov 6, 2019· Updated Aug 4, 2024

CVE-2019-12419

CVE-2019-12419

Description

Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache CXF OpenId Connect access token service fails to validate the authenticated principal matches the clientId parameter, allowing token theft.

Vulnerability

Analysis

CVE-2019-12419 is an improper authentication validation vulnerability in Apache CXF versions before 3.3.4 and 3.2.11. The flaw exists in the access token service components used for building OpenId Connect services. When processing token requests, the service does not verify that the authenticated principal matches the supplied clientId parameter.

Exploitation

To exploit this vulnerability, a malicious client must first obtain an authorization code that was issued to a different, legitimate client. This could potentially be achieved through cross-site scripting, open redirects, or other means of authorization code interception. Once the attacker possesses the stolen authorization code, they can present it along with their own client credentials, but using the victim's clientId. Because the service fails to enforce the binding between the authenticated principal and the clientId, the attacker can successfully redeem the authorization code for an access token intended for another client.

Impact

Successful exploitation allows an attacker to obtain a valid access token that belongs to a different client. Depending on the scope and permissions associated with that token, the attacker may then be able to access protected resources or impersonate the legitimate client. This essentially undermines the security of the OAuth2/OIDC flow, as the authorization code grant's fundamental assumption (that the party redeeming the code is the same one that initiated the request) is broken.

Mitigation

Apache has released patches in versions 3.3.4 and 3.2.11 which fix this validation issue [1]. Users of affected versions are strongly advised to upgrade immediately. There are no known workarounds for this vulnerability within the Apache CXF codebase; the fix requires updating the library.

References
  1. NVD - CVE-2019-12419

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.cxf:cxfMaven
< 3.2.113.2.11
org.apache.cxf:cxfMaven
>= 3.3.0, < 3.3.43.3.4

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

25

News mentions

0

No linked articles in our index yet.