CVE Vulnerabilities

CVE-2010-2057

Published: Oct 20, 2010 | Modified: Nov 19, 2010
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu

shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack.

Affected Software

Name Vendor Start Version End Version
Myfaces Apache 1.1.1 1.1.1
Myfaces Apache 1.1.6 1.1.6
Myfaces Apache 1.1.3 1.1.3
Myfaces Apache 1.1.5 1.1.5
Myfaces Apache 1.1.0 1.1.0
Myfaces Apache 1.1.7 1.1.7
Myfaces Apache 1.1.4 1.1.4
Myfaces Apache 1.1.2 1.1.2

References