Apache Cxf vulnerabilities

CVE-2020-1954 [MEDIUM] CVE-2020-1954: Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory‘ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind th

CVE-2019-12419 [CRITICAL] CWE-863 CVE-2019-12419: Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully Apache CXF before 3.3.4 and 3.2.11 provides all of the components that are required to build a fully fledged OpenId Connect service. There is a vulnerability in the access token services, where it does not validate that the authenticated principal is equal to that of the supplied clientId parameter in the request. If a malicious client was able to