N/A

Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to somehow steal an authorization code issued to another client, then they could exploit this vulnerability to obtain an access token for the other client.

N/A

N/A

Apache CXF 授权问题漏洞

Apache CXF是美国阿帕奇（Apache）基金会的一个开源的Web服务框架。该框架支持多种Web服务标准、多种前端编程API等。 Apache CXF 中存在授权问题漏洞。该漏洞源于访问令牌服务中存在一个漏洞，它无法验证经过身份验证的主体是否等于请求中提供的 clientId 参数的主体。

N/A

N/A