CVE-2010-2057

EUVD-2022-2370
shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:N/I:P/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 73%
Affected Products (NVD)
VendorProductVersion
apachemyfaces
1.1.0
apachemyfaces
1.1.1
apachemyfaces
1.1.2
apachemyfaces
1.1.3
apachemyfaces
1.1.4
apachemyfaces
1.1.5
apachemyfaces
1.1.6
apachemyfaces
1.1.7
apachemyfaces
1.2.2
apachemyfaces
1.2.3
apachemyfaces
1.2.4
apachemyfaces
1.2.5
apachemyfaces
1.2.6
apachemyfaces
1.2.7
apachemyfaces
1.2.8
apachemyfaces
2.0.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://svn.apache.org/viewvc/myfaces/shared/trunk/core/src/main/java/org/apache/myfaces/shared/util/StateUtils.java?r1=943327&r2=951801
https://bugzilla.redhat.com/show_bug.cgi?id=623799
https://issues.apache.org/jira/browse/MYFACES-2749
http://svn.apache.org/viewvc/myfaces/shared/trunk/core/src/main/java/org/apache/myfaces/shared/util/StateUtils.java?r1=943327&r2=951801
https://bugzilla.redhat.com/show_bug.cgi?id=623799
https://issues.apache.org/jira/browse/MYFACES-2749