CVE-2010-2057

Apache MyFaces 1.1.x < 1.1.8, 1.2.x < 1.2.9, 2.0.x < 2.0.1 - View State Tampering via Padding Oracle Attack

Title source: llm
STIX 2.1

Description

shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack.

Scores

EPSS 0.0310
EPSS Percentile 86.3%

Details

CWE
CWE-310
Status published
Products (18)
apache/myfaces 1.1.0
apache/myfaces 1.1.1
apache/myfaces 1.1.2
apache/myfaces 1.1.3
apache/myfaces 1.1.4
apache/myfaces 1.1.5
apache/myfaces 1.1.6
apache/myfaces 1.1.7
apache/myfaces 1.2.2
apache/myfaces 1.2.3
... and 8 more
Published Oct 20, 2010
Tracked Since Feb 18, 2026