CRITICAL🇵🇱 Wersja polska

CVE-2019-12419

CVSS 9.8v3.1pub. 2019-11-06upd. 2024-11-21

Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Apache Cxf

    APP
    Apache
    3.2.0 – 3.2.11 (bez)3.3.0 – 3.3.4 (bez)
  • Oracle Commerce Guided Search

    APP
    Oracle
    11.3.2
  • Oracle Enterprise Manager Base Platform

    APP
    Oracle
    13.2.1.0
  • Oracle Flexcube Private Banking

    APP
    Oracle
    12.0.012.1.0
  • Oracle Retail Order Broker

    APP
    Oracle
    15.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2022-22947CRITICAL10.0⚠ KEVten sam produkt

In spring cloud gateway versions prior to 3.1.1+ and 3.0.7+ , applications are vulnerable to a code injection ...

CVE-2026-46852CRITICAL9.9ten sam produkt

Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: ...

CVE-2026-46832CRITICAL9.9ten sam produkt

Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: ...

CVE-2026-46853CRITICAL9.6ten sam produkt

Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: ...

CVE-2026-46854CRITICAL9.9ten sam produkt

Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: ...