Thursday, January 16, 2020

Two final 2019 CVEs for Apache CXF

Apache CXF 3.3.5 and 3.2.12 have been released. These releases contain fixes for two new security advisories:
  • CVE-2019-12423: Apache CXF OpenId Connect JWK Keys service returns private/secret credentials if configured with a jwk keystore. 
  • CVE-2019-17573: Apache CXF Reflected XSS in the services listing page. Note that this attack exploits a feature which is not typically not
    present in modern browsers, who remove dot segments before sending the
    request. However, Mobile applications may be vulnerable.
Please see the CXF security advisories page for information on all of the CVEs issued for Apache CXF over the years.