CVE-2010-2057: Encrypted view state does not include MAC

October 20, 2010 (updated November 19, 2010)

shared/util/StateUtils.java in this package uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack.

References

issues.apache.org/jira/browse/MYFACES-2749
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2057

Code Behaviors & Features

Detect and mitigate CVE-2010-2057 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →