What is CVE-2019-12419?

CVE-2019-12419 is a vulnerability in Apache Cxf. Published 2019-11-06.

Is CVE-2019-12419 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Cxf

CVE-2019-12419

Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated p…

EPSS: 0.110 (93.6th percentile) — read the EPSS interpretation.

Affected products

Apache Cxf — versions versions before 3.3.4 and 3.2.11

Public proof-of-concept exploits

References

[cxf-commits] 20200116 svn commit: r1055336 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-12423.txt.asc security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html (mailing-list, x_refsource_MLIST)
[cxf-commits] 20200319 svn commit: r1058035 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html (mailing-list, x_refsource_MLIST)
[cxf-commits] 20200401 svn commit: r1058573 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2020-1954.txt.asc security-advisories.html (mailing-list, x_refsource_MLIST)
www.oracle.com/security-alerts/cpuapr2020.html (x_refsource_MISC)
www.oracle.com/security-alerts/cpujan2020.html (x_refsource_MISC)
www.oracle.com/security-alerts/cpuoct2020.html (x_refsource_MISC)
cxf.apache.org/security-advisories.data/CVE-2019-12419.txt.asc (x_refsource_CONFIRM)
[cxf-dev] 20201030 CVE-2019-12419 (mailing-list, x_refsource_MLIST)
[cxf-dev] 20201102 Re: CVE-2019-12419 (mailing-list, x_refsource_MLIST)
[cxf-dev] 20201103 Re: CVE-2019-12419 (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2019-12419?: CVE-2019-12419 is a vulnerability in Apache Cxf. Published 2019-11-06.
Is CVE-2019-12419 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.