← Back

CVE-2021-26296

nvd nist
Published: Feb 19, 2021Modified: Nov 21, 2024

JSON object

Loading...
7.5
Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Exploitability: 1.6 / Impact: 5.9
Source: NVD

Description

In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.

Affected (8)

Apache
1 product
Myfaces
Netapp
1 product
Oncommand Insight
Configuration A
7 vulnerable
Vulnerable SoftwareAffected Versions
Apache
Myfaces
From 2.2.0 to 2.2.13
Myfaces
From 2.3.0 to 2.3.7
Myfaces
Version 2.3 next-m1
Myfaces
Version 2.3 next-m2
Myfaces
Version 2.3 next-m3
Myfaces
Version 2.3 next-m4
Myfaces
Version 3.0.0 rc1
Configuration B
1 vulnerable
Vulnerable SoftwareAffected Versions
Oncommand Insight
All versions

Related CWEs

CWE-352
Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (8)

Source: security@apache.org
ExploitThird Party AdvisoryVDB Entry
Source: security@apache.org
Mailing ListThird Party Advisory
Source: security@apache.org
Mailing ListVendor Advisory
Source: security@apache.org
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party AdvisoryVDB Entry
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing ListVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory

Timeline

No history available yet.