CVE-2019-12423
Summary
| CVE | CVE-2019-12423 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-01-16 18:15:00 UTC |
| Updated | 2023-11-07 03:03:00 UTC |
| Description | Apache CXF ships with a OpenId Connect JWK Keys service, which allows a client to obtain the public keys in JWK format, which can then be used to verify the signature of tokens issued by the service. Typically, the service obtains the public key from a local keystore (JKS/PKCS12) by specifing the path of the keystore and the alias of the keystore entry. This case is not vulnerable. However it is also possible to obtain the keys from a JWK keystore file, by setting the configuration parameter "rs.security.keystore.type" to "jwk". For this case all keys are returned in this file "as is", including all private key and secret key credentials. This is an obvious security risk if the user has configured the signature keystore file with private or secret key credentials. From CXF 3.3.5 and 3.2.12, it is mandatory to specify an alias corresponding to the id of the key in the JWK file, and only this key is returned. In addition, any private key information is omitted by default. "oct" keys, which contain secret keys, are not returned at all. |
Risk And Classification
Problem Types: CWE-522
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Cxf | All | All | All | All |
| Application | Apache | Cxf | All | All | All | All |
| Application | Oracle | Commerce Guided Search | 11.3.2 | All | All | All |
| Application | Oracle | Communications Diameter Signaling Router | All | All | All | All |
| Application | Oracle | Communications Element Manager | All | All | All | All |
| Application | Oracle | Communications Session Report Manager | All | All | All | All |
| Application | Oracle | Communications Session Route Manager | 8.1.1 | All | All | All |
| Application | Oracle | Communications Session Route Manager | 8.2.0 | All | All | All |
| Application | Oracle | Communications Session Route Manager | 8.2.1 | All | All | All |
| Application | Oracle | Flexcube Private Banking | 12.0.0 | All | All | All |
| Application | Oracle | Flexcube Private Banking | 12.1.0 | All | All | All |
| Application | Oracle | Retail Order Broker | 15.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [cxf-commits] 20210402 svn commit: r1073270 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2021-22696.txt.asc security-advisories.html | lists.apache.org | ||
| cxf.apache.org/security-advisories.data/CVE-2019-12423.txt.asc | CONFIRM | cxf.apache.org | Vendor Advisory |
| Oracle Critical Patch Update Advisory - July 2020 | MISC | www.oracle.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - October 2020 | MISC | www.oracle.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| [cxf-commits] 20210616 svn commit: r1075801 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2021-30468.txt.asc security-advisories.html | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | Mailing List, Vendor Advisory |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - April 2021 | MISC | www.oracle.com | |
| Pony Mail! | lists.apache.org | ||
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 982215 Java (maven) Security Update for org.apache.cxf:cxf (GHSA-42f2-f9vc-6365)