CVE-2010-4007

Oracle Mojarra uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack, a related issue to CVE-2010-2057.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:N/I:P/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 55%
VendorProductVersion
oraclemojarra
1.1
oraclemojarra
1.1_02:_02
oraclemojarra
1.2
oraclemojarra
1.2_01:_01
oraclemojarra
1.2_02:_02
oraclemojarra
1.2_03:_03
oraclemojarra
1.2_04:_04
oraclemojarra
1.2_05:_05
oraclemojarra
1.2_06:_06
oraclemojarra
1.2_07:_07
oraclemojarra
1.2_08:_08
oraclemojarra
1.2_09:_09
oraclemojarra
1.2_10:_10
oraclemojarra
1.2_11:_11
oraclemojarra
1.2_12:_12
oraclemojarra
1.2_13:_13
oraclemojarra
1.2_14:_14
oraclemojarra
1.2_15:_15
oraclemojarra
2.0.0
oraclemojarra
2.0.1
oraclemojarra
2.0.2
oraclemojarra
2.0.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
mojarra
sid
2.2.8-6
fixed
trixie
2.2.8-6
fixed
bookworm
2.2.8-6
fixed
bullseye
2.2.8-6
fixed
Common Weakness Enumeration
References
https://bugzilla.redhat.com/show_bug.cgi?id=623799
https://issues.apache.org/jira/browse/MYFACES-2749
https://bugzilla.redhat.com/show_bug.cgi?id=623799
https://issues.apache.org/jira/browse/MYFACES-2749