Skip to content

Improper Authentication in Apache MyFaces

Moderate severity GitHub Reviewed Published May 17, 2022 to the GitHub Advisory Database • Updated Sep 26, 2023

Package

maven org.apache.myfaces.core:myfaces-impl (Maven)

Affected versions

>= 1.1.0, < 1.1.8
>= 1.2.0, < 1.2.9
>= 2.0.0, < 2.0.1

Patched versions

1.1.8
1.2.9
2.0.1
maven org.apache.myfaces.shared:myfaces-shared-core (Maven)
>= 1.1.0, < 1.1.8
>= 1.2.0, < 1.2.9
>= 2.0.0, < 2.0.1
1.1.8
1.2.9
2.0.1

Description

shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack.

References

Published by the National Vulnerability Database Oct 20, 2010
Published to the GitHub Advisory Database May 17, 2022
Reviewed Jul 8, 2022
Last updated Sep 26, 2023

Severity

Moderate

EPSS score

0.272%
(68th percentile)

Weaknesses

CVE ID

CVE-2010-2057

GHSA ID

GHSA-4fv4-cq5v-x45m

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.