#24428 – CVE-2010-2057: Encrypted View State does not include Message Authentication Code (MAC)

Bug 24428 - CVE-2010-2057: Encrypted View State does not include Message Authentication Code (MAC)

Summary: CVE-2010-2057: Encrypted View State does not include Message Authentication C...

Status:	CLOSED FIXED

Alias:	None

Product:	Sisyphus
Classification:	Development
Component:	myfaces (show other bugs)
Version:	unstable
Hardware:	all Linux

Importance:	P3 blocker
Assignee:	viy
QA Contact:	qa-sisyphus

URL:	https://issues.apache.org/jira/browse...
Keywords:	security

Depends on:
Blocks:

Reported:	2010-10-26 19:44 MSD by Vladimir Lettiev
Modified:	2015-10-28 01:07 MSK (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vladimir Lettiev 2010-10-26 19:44:23 MSD

shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack.

Comment 1 viy 2015-10-28 01:07:31 MSK

пакет удален из репозитория