CVE-2021-26296 – Cross-Site Request Forgery (CSRF) vulnerability in Apache MyFaces
https://notcve.org/view.php?id=CVE-2021-26296
In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application. En la configuración predeterminada, Apache MyFaces Core versiones 2.2.0 hasta 2.2.13, versiones 2.3.0 hasta 2.3.7, versiones 2.3-next-M1 hasta 2.3-next-M4 y 3.0.0-RC1, usan tokens de tipo cross-site request forgery (CSRF) implícitos y explícitos criptográficamente débiles. Debido a esa limitación, es posible (aunque difícil) para un atacante calcular un valor futuro de token CSRF y usar ese valor para engañar al usuario a ejecutar acciones no deseadas en una aplicación Apache MyFaces versions 2.2.13 and below, 2.3.7 and below, 2.3-next-M4 and below, and 2.1 and below suffer from a cross site request forgery vulnerability. • http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html http://seclists.org/fulldisclosure/2021/Feb/66 https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E https://security.netapp.com/advisory/ntap-20210528-0007 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2016-5019
https://notcve.org/view.php?id=CVE-2016-5019
CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13, 1.2.x before 1.2.15, 2.0.x before 2.0.2, and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via a crafted serialized view state string. CoreResponseStateManager en Apache MyFaces Trinidad 1.0.0 hasta la versión 1.0.13, 1.2.x en versiones anteriores a 1.2.15, 2.0.x en versiones anteriores a 2.0.2 y 2.1.x en versiones anteriores a 2.1.2 podría permitir a atacantes llevar a cabo ataques de deserialización a través de una cadena de vista de estado serializada manipulada. • http://mail-archives.apache.org/mod_mbox/myfaces-users/201609.mbox/%3CCAM1yOjYM%2BEW3mLUfX0pNAVLfUFRAw-Bhvkp3UE5%3DEQzR8Yxsfw%40mail.gmail.com%3E http://packetstormsecurity.com/files/138920/Apache-MyFaces-Trinidad-Information-Disclosure.html http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247. • CWE-502: Deserialization of Untrusted Data •
CVE-2011-4367 – Apache MyFaces - 'ln' Information Disclosure
https://notcve.org/view.php?id=CVE-2011-4367
Multiple directory traversal vulnerabilities in MyFaces JavaServer Faces (JSF) in Apache MyFaces Core 2.0.x before 2.0.12 and 2.1.x before 2.1.6 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) ln parameter to faces/javax.faces.resource/web.xml or (2) the PATH_INFO to faces/javax.faces.resource/. Múltiples vulnerabilidades de salto de directorio en MyFaces JavaServer Faces (JSF) en Apache MyFaces Core 2.0.x anterior a 2.0.12 y 2.1.x anterior a 2.1.6 permiten a atacantes remotos leer ficheros arbitrarios a través de un .. (punto punto) en (1) el parámetro ln en faces/javax.faces.resource/web.xml o (2) PATH_INFO en faces/javax.faces.resource/. Apache MyFaces Core versions 2.0.1 to 2.0.11 and 2.1.0 to 2.1.5 suffer from a remote file disclosure vulnerability. • https://www.exploit-db.com/exploits/36681 http://mail-archives.apache.org/mod_mbox/myfaces-announce/201202.mbox/%3C4F33ED1F.4070007%40apache.org%3E http://osvdb.org/show/osvdb/79002 http://seclists.org/fulldisclosure/2012/Feb/150 http://secunia.com/advisories/47973 http://www.securityfocus.com/bid/51939 https://exchange.xforce.ibmcloud.com/vulnerabilities/73100 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2011-4343 – Apache MyFaces 2.0 / 2.1 Information Disclosure
https://notcve.org/view.php?id=CVE-2011-4343
Information disclosure vulnerability in Apache MyFaces Core 2.0.1 through 2.0.10 and 2.1.0 through 2.1.4 allows remote attackers to inject EL expressions via crafted parameters. Una vulnerabilidad de revelación de información en Apache MyFaces Core en sus versiones 2.0.1 a2.0.10 y 2.1.0 a 2.1.4 permite que atacantes remotos inyecten expresiones EL mediante parámetros manipulados. Apache MyFaces Core versions 2.0.1 through 2.0.10 and versions 2.1.0 through 2.1.4 suffer from an information disclosure vulnerability. • http://marc.info/?l=full-disclosure&m=132313252814362 http://www.securitytracker.com/id/1039695 https://issues.apache.org/jira/secure/attachment/12504807/MYFACES-3405-1.patch • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2010-2057
https://notcve.org/view.php?id=CVE-2010-2057
shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack. shared/util/StateUtils.java en Apache MyFaces v1.1.x anterior a v1.1.8, v1.2.x anterior a v1.2.9, y v2.0.x anterior a v2.0.1 utiliza un cifrado View State sin un Codigo de Autenticación de Mensaje (MAC), lo que cual facilita a los atacantes remotos realizar modificaciones con éxito de el View State mediante un ataque de relleno. • http://svn.apache.org/viewvc/myfaces/shared/trunk/core/src/main/java/org/apache/myfaces/shared/util/StateUtils.java?r1=943327&r2=951801 https://bugzilla.redhat.com/show_bug.cgi?id=623799 https://issues.apache.org/jira/browse/MYFACES-2749 • CWE-310: Cryptographic Issues •