Home
» GitHub Advisories
» GHSA-4fv4-cq5v-x45m
Description
shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack.
Basic information
Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
—
Source code
Not specified
Published (advisory)
2022-05-17 05:45:54 UTC
Updated
2023-09-26 16:25:04 UTC
GitHub reviewed
2022-07-08 18:54:49 UTC
NVD published
2010-10-20
EPSS Score
Score
Percentile
1.04%
77.42%
CVSS Scores
No CVSS scores in this advisory.
CWEs
CWE id
Name
CWE-287
Improper Authentication
Affected packages (6)
Vulnerable version ranges and first patched releases as published by GitHub.
Ecosystem
Package
Vulnerable range
First patched
Vulnerable functions
maven
org.apache.myfaces.shared:myfaces-shared-core
>= 1.1.0, < 1.1.8
1.1.8
—
maven
org.apache.myfaces.shared:myfaces-shared-core
>= 1.2.0, < 1.2.9
1.2.9
—
maven
org.apache.myfaces.shared:myfaces-shared-core
>= 2.0.0, < 2.0.1
2.0.1
—
maven
org.apache.myfaces.core:myfaces-impl
>= 1.1.0, < 1.1.8
1.1.8
—
maven
org.apache.myfaces.core:myfaces-impl
>= 1.2.0, < 1.2.9
1.2.9
—
maven
org.apache.myfaces.core:myfaces-impl
>= 2.0.0, < 2.0.1
2.0.1
—
cvelogic
Threat Intelligence