Padding Oracle Attack Vulnerability in Apache MyFaces
CVE-2010-2057

Currently unrated

Key Information:

Vendor: Apache
Status: Myfaces
Vendor: CVE Published:; 20 October 2010

Summary

The vulnerability stems from the use of an encrypted View State in Apache MyFaces that lacks a Message Authentication Code (MAC). This design flaw opens the door for remote attackers to exploit padding oracle attacks, enabling them to alter the View State without proper validation. Such modifications can lead to unauthorized actions within web applications that leverage this framework, posing significant security risks.

References

https://bugzilla.redhat.com/show_bug.cgi?id=623799

x_refsource_CONFIRM

https://issues.apache.org/jira/browse/MYFACES-2749

x_refsource_CONFIRM

http://svn.apache.org/viewvc/myfaces/shared/trunk/core/sr...

x_refsource_CONFIRM

Timeline

Vulnerability published
Oct 20, 2010
Vulnerability Reserved
May 25, 2010