CVE-2010-2057

Published: Oct 20, 2010Modified: Apr 29, 2026

5.0

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability: 10.0 / Impact: 2.9

Source: NVD

Description

shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack.

Affected (16)

Products: Apache: Myfaces

Apache

1 product

Myfaces

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
Apache Myfaces	Version 1.1.0
Apache Myfaces	Version 1.1.1
Apache Myfaces	Version 1.1.2
Apache Myfaces	Version 1.1.3
Apache Myfaces	Version 1.1.4
Apache Myfaces	Version 1.1.5
Apache Myfaces	Version 1.1.6
Apache Myfaces	Version 1.1.7

Configuration B

7 vulnerable

Vulnerable Software	Affected Versions
Apache Myfaces	Version 1.2.2
Apache Myfaces	Version 1.2.3
Apache Myfaces	Version 1.2.4
Apache Myfaces	Version 1.2.5
Apache Myfaces	Version 1.2.6
Apache Myfaces	Version 1.2.7
Apache Myfaces	Version 1.2.8