// For flags

CVE-2021-26296

Cross-Site Request Forgery (CSRF) vulnerability in Apache MyFaces

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.

En la configuración predeterminada, Apache MyFaces Core versiones 2.2.0 hasta 2.2.13, versiones 2.3.0 hasta 2.3.7, versiones 2.3-next-M1 hasta 2.3-next-M4 y 3.0.0-RC1, usan tokens de tipo cross-site request forgery (CSRF) implícitos y explícitos criptográficamente débiles. Debido a esa limitación, es posible (aunque difícil) para un atacante calcular un valor futuro de token CSRF y usar ese valor para engañar al usuario a ejecutar acciones no deseadas en una aplicación

Apache MyFaces versions 2.2.13 and below, 2.3.7 and below, 2.3-next-M4 and below, and 2.1 and below suffer from a cross site request forgery vulnerability.

*Credits: Apache MyFaces would like to thank Wolfgang Ettlinger (Certitude Consulting GmbH)
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-01-28 CVE Reserved
  • 2021-02-19 CVE Published
  • 2024-07-09 EPSS Updated
  • 2024-08-03 CVE Updated
  • 2024-08-03 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
Myfaces
Search vendor "Apache" for product "Myfaces"
>= 2.2.0 <= 2.2.13
Search vendor "Apache" for product "Myfaces" and version " >= 2.2.0 <= 2.2.13"
-
Affected
Apache
Search vendor "Apache"
Myfaces
Search vendor "Apache" for product "Myfaces"
>= 2.3.0 <= 2.3.7
Search vendor "Apache" for product "Myfaces" and version " >= 2.3.0 <= 2.3.7"
-
Affected
Apache
Search vendor "Apache"
Myfaces
Search vendor "Apache" for product "Myfaces"
2.3
Search vendor "Apache" for product "Myfaces" and version "2.3"
next-m1
Affected
Apache
Search vendor "Apache"
Myfaces
Search vendor "Apache" for product "Myfaces"
2.3
Search vendor "Apache" for product "Myfaces" and version "2.3"
next-m2
Affected
Apache
Search vendor "Apache"
Myfaces
Search vendor "Apache" for product "Myfaces"
2.3
Search vendor "Apache" for product "Myfaces" and version "2.3"
next-m3
Affected
Apache
Search vendor "Apache"
Myfaces
Search vendor "Apache" for product "Myfaces"
2.3
Search vendor "Apache" for product "Myfaces" and version "2.3"
next-m4
Affected
Apache
Search vendor "Apache"
Myfaces
Search vendor "Apache" for product "Myfaces"
3.0.0
Search vendor "Apache" for product "Myfaces" and version "3.0.0"
rc1
Affected
Netapp
Search vendor "Netapp"
Oncommand Insight
Search vendor "Netapp" for product "Oncommand Insight"
--
Affected