[CVEID]:CVE-2019-12419 [PRODUCT]:Apache CXF [VERSION]:Apache CXF versions before 3.3.4 and 3.2.11 [PROBLEMTYPE]:Apache CXF OpenId Connect token service does not properly validate the clientId [REFERENCES]: http://cxf.apache.org/security-advisories.data/CVE-2019-12419.txt.asc [DESCRIPTION]:Apache CXF provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request.
If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client.