Описание
In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.
Отчет
Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of RHOSP 14 and is only receiving security fixes for Important and Critical flaws.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Decision Manager 7 | jsf-impl-myfaces | Will not fix | ||
| Red Hat JBoss Enterprise Application Platform 6 | myfaces-impl | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 7 | myfaces-impl | Not affected | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | myfaces-impl | Not affected | ||
| Red Hat OpenStack Platform 13 (Queens) | opendaylight | Will not fix | ||
| Red Hat Process Automation 7 | jsf-impl-myfaces | Will not fix |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.
7.5 High
CVSS3