Apache CXF 3.3.5 and 3.2.12 have been
released. These releases contain fixes for two new security advisories:
- CVE-2019-12423: Apache CXF OpenId Connect JWK Keys service returns private/secret credentials if configured with a jwk keystore.
- CVE-2019-17573: Apache CXF Reflected XSS in the services listing page. Note that this attack exploits a feature which is not typically not
present in modern browsers, who remove dot segments before sending the
request. However, Mobile applications may be vulnerable.
Please see the CXF
security advisories page for information on all of the CVEs issued for Apache CXF over the years.