Описание
shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack.
Ссылки
- Patch
- Patch
Уязвимые конфигурации
Конфигурация 1
Одно из
cpe:2.3:a:apache:myfaces:1.1.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:myfaces:1.1.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:myfaces:1.1.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:myfaces:1.1.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:myfaces:1.1.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:myfaces:1.1.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:myfaces:1.1.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:myfaces:1.1.7:*:*:*:*:*:*:*
Конфигурация 2
Одно из
cpe:2.3:a:apache:myfaces:1.2.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:myfaces:1.2.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:myfaces:1.2.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:myfaces:1.2.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:myfaces:1.2.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:myfaces:1.2.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:myfaces:1.2.8:*:*:*:*:*:*:*
Конфигурация 3
cpe:2.3:a:apache:myfaces:2.0.0:*:*:*:*:*:*:*
EPSS
Процентиль: 74%
0.00802
Низкий
5 Medium
CVSS2
Дефекты
CWE-310
Связанные уязвимости
redhat
больше 15 лет назад
shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack.
EPSS
Процентиль: 74%
0.00802
Низкий
5 Medium
CVSS2
Дефекты
CWE-310