shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: redhat
Published: 2010-10-20T17:00:00Z
Updated: 2010-10-20T17:00:00Z
Reserved: 2010-05-25T00:00:00Z
Link: CVE-2010-2057
JSON object: View
NVD Information
Status : Analyzed
Published: 2010-10-20T18:00:02.503
Modified: 2010-11-19T05:00:00.000
Link: CVE-2010-2057
JSON object: View
Redhat Information
No data.
CWE