CVE-2010-2057

shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:N/I:P/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 68%
VendorProductVersion
apachemyfaces
1.1.0
apachemyfaces
1.1.1
apachemyfaces
1.1.2
apachemyfaces
1.1.3
apachemyfaces
1.1.4
apachemyfaces
1.1.5
apachemyfaces
1.1.6
apachemyfaces
1.1.7
apachemyfaces
1.2.2
apachemyfaces
1.2.3
apachemyfaces
1.2.4
apachemyfaces
1.2.5
apachemyfaces
1.2.6
apachemyfaces
1.2.7
apachemyfaces
1.2.8
apachemyfaces
2.0.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://svn.apache.org/viewvc/myfaces/shared/trunk/core/src/main/java/org/apache/myfaces/shared/util/StateUtils.java?r1=943327&r2=951801
https://bugzilla.redhat.com/show_bug.cgi?id=623799
https://issues.apache.org/jira/browse/MYFACES-2749
http://svn.apache.org/viewvc/myfaces/shared/trunk/core/src/main/java/org/apache/myfaces/shared/util/StateUtils.java?r1=943327&r2=951801
https://bugzilla.redhat.com/show_bug.cgi?id=623799
https://issues.apache.org/jira/browse/MYFACES-2749