CVE-2010-2057
Apache MyFaces 1.1.x < 1.1.8, 1.2.x < 1.2.9, 2.0.x < 2.0.1 - View State Tampering via Padding Oracle Attack
Title source: llmDescription
shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack.
References (3)
Core 3
Core References
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=623799
Various Sources x_refsource_confirm
https://issues.apache.org/jira/browse/MYFACES-2749
Scores
EPSS
0.0310
EPSS Percentile
86.3%
Details
CWE
CWE-310
Status
published
Products (18)
apache/myfaces
1.1.0
apache/myfaces
1.1.1
apache/myfaces
1.1.2
apache/myfaces
1.1.3
apache/myfaces
1.1.4
apache/myfaces
1.1.5
apache/myfaces
1.1.6
apache/myfaces
1.1.7
apache/myfaces
1.2.2
apache/myfaces
1.2.3
... and 8 more
Published
Oct 20, 2010
Tracked Since
Feb 18, 2026