CVE-2021-26296 — Cross-Site Request Forgery in Software Foundation Apache Myfaces Core

CWE-352 — Cross-Site Request Forgery CWE-330 — Use of Insufficiently Random Values5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 44.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Myfaces Core Apache Myfaces

Timeline

PublishedFeb 19

Latest updateJun 16

Description

In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5apache_software_foundation/apache_myfaces_coreApache MyFaces Core 2.2 — 2.2.14+3

▶NVDapache/myfaces2.2.0 — 2.2.13+3

🔴Vulnerability Details

OSV

Cryptographically weak CSRF tokens in Apache MyFaces↗2021-06-16

▶

GHSA

Cryptographically weak CSRF tokens in Apache MyFaces↗2021-06-16

▶

CVEList

Cross-Site Request Forgery (CSRF) vulnerability in Apache MyFaces↗2021-02-19

▶

📋Vendor Advisories

Red Hat

myfaces: Cross-site request forgery vulnerability in Apache MyFaces↗2021-02-18

▶