Improper Authentication in Apache MyFaces

Description

shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Source code
Not specified
Published (advisory)
2022-05-17 05:45:54 UTC
Updated
2023-09-26 16:25:04 UTC
GitHub reviewed
2022-07-08 18:54:49 UTC
NVD published
2010-10-20

EPSS Score

Score Percentile
1.04% 77.42%

CVSS Scores

No CVSS scores in this advisory.

Identifiers

CWEs

CWE id Name
CWE-287 Improper Authentication

Affected packages (6)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
maven org.apache.myfaces.shared:myfaces-shared-core >= 1.1.0, < 1.1.8 1.1.8
maven org.apache.myfaces.shared:myfaces-shared-core >= 1.2.0, < 1.2.9 1.2.9
maven org.apache.myfaces.shared:myfaces-shared-core >= 2.0.0, < 2.0.1 2.0.1
maven org.apache.myfaces.core:myfaces-impl >= 1.1.0, < 1.1.8 1.1.8
maven org.apache.myfaces.core:myfaces-impl >= 1.2.0, < 1.2.9 1.2.9
maven org.apache.myfaces.core:myfaces-impl >= 2.0.0, < 2.0.1 2.0.1

References

cvelogic Threat Intelligence