CVE-2021-26296 - OpenCVE

In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:H/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Netapp	Oncommand Insight
Apache	Myfaces

Configuration 1 [-]

OR	cpe:2.3:a:apache:myfaces::::::::
	cpe:2.3:a:apache:myfaces::::::::
	cpe:2.3:a:apache:myfaces:2.3:next-m1::::::
	cpe:2.3:a:apache:myfaces:2.3:next-m2::::::
	cpe:2.3:a:apache:myfaces:2.3:next-m3::::::
	cpe:2.3:a:apache:myfaces:2.3:next-m4::::::
	cpe:2.3:a:apache:myfaces:3.0.0:rc1::::::

Configuration 2 [-]

cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

References

Link	Resource
http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html	Exploit Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2021/Feb/66	Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E	Mailing List Vendor Advisory
https://security.netapp.com/advisory/ntap-20210528-0007/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2021-02-19T08:30:14

Updated: 2021-05-28T09:06:18

Reserved: 2021-01-28T00:00:00

Link: CVE-2021-26296

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-02-19T09:15:13.283

Modified: 2021-06-02T15:15:32.973

Link: CVE-2021-26296

JSON object: View

Redhat Information

No data.

CWE

CWE-352

{"containers": {"cna": {"affected": [{"product": "Apache MyFaces Core", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.2.14", "status": "affected", "version": "Apache MyFaces Core 2.2", "versionType": "custom"}, {"lessThan": "2.3.8", "status": "affected", "version": "Apache MyFaces Core 2.3", "versionType": "custom"}, {"lessThan": "2.3-next-M5", "status": "affected", "version": "Apache MyFaces Core 2.3-next", "versionType": "custom"}, {"lessThan": "3.0.0", "status": "affected", "version": "Apache MyFaces Core 3.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Apache MyFaces would like to thank Wolfgang Ettlinger (Certitude Consulting GmbH)"}], "descriptions": [{"lang": "en", "value": "In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-28T09:06:18", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E"}, {"name": "20210219 [CSA-2021-001] Cross-Site Request Forgery in Apache MyFaces", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2021/Feb/66"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210528-0007/"}], "source": {"defect": ["MYFACES-4373"], "discovery": "UNKNOWN"}, "title": "Cross-Site Request Forgery (CSRF) vulnerability in Apache MyFaces", "workarounds": [{"lang": "en", "value": "Existing web.xml configuration parameters can be used to direct MyFaces to use SecureRandom for CSRF token generation:\n\norg.apache.myfaces.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN=secureRandom\norg.apache.myfaces.RANDOM_KEY_IN_CSRF_SESSION_TOKEN=secureRandom\norg.apache.myfaces.RANDOM_KEY_IN_WEBSOCKET_SESSION_TOKEN=secureRandom"}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-26296", "STATE": "PUBLIC", "TITLE": "Cross-Site Request Forgery (CSRF) vulnerability in Apache MyFaces"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache MyFaces Core", "version": {"version_data": [{"version_affected": "<", "version_name": "Apache MyFaces Core 2.2", "version_value": "2.2.14"}, {"version_affected": "<", "version_name": "Apache MyFaces Core 2.3", "version_value": "2.3.8"}, {"version_affected": "<", "version_name": "Apache MyFaces Core 2.3-next", "version_value": "2.3-next-M5"}, {"version_affected": "<", "version_name": "Apache MyFaces Core 3.0", "version_value": "3.0.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Apache MyFaces would like to thank Wolfgang Ettlinger (Certitude Consulting GmbH)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E"}, {"name": "20210219 [CSA-2021-001] Cross-Site Request Forgery in Apache MyFaces", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2021/Feb/66"}, {"name": "http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html"}, {"name": "https://security.netapp.com/advisory/ntap-20210528-0007/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210528-0007/"}]}, "source": {"defect": ["MYFACES-4373"], "discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "Existing web.xml configuration parameters can be used to direct MyFaces to use SecureRandom for CSRF token generation:\n\norg.apache.myfaces.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN=secureRandom\norg.apache.myfaces.RANDOM_KEY_IN_CSRF_SESSION_TOKEN=secureRandom\norg.apache.myfaces.RANDOM_KEY_IN_WEBSOCKET_SESSION_TOKEN=secureRandom"}]}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-26296", "datePublished": "2021-02-19T08:30:14", "dateReserved": "2021-01-28T00:00:00", "dateUpdated": "2021-05-28T09:06:18", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:myfaces:*:*:*:*:*:*:*:*", "matchCriteriaId": "43C2311F-12BF-4C37-8FF2-B5F555888D92", "versionEndIncluding": "2.2.13", "versionStartIncluding": "2.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:myfaces:*:*:*:*:*:*:*:*", "matchCriteriaId": "ACA9DF3E-01A7-49C4-9E63-1CA07DA1A2C2", "versionEndIncluding": "2.3.7", "versionStartIncluding": "2.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:myfaces:2.3:next-m1:*:*:*:*:*:*", "matchCriteriaId": "EF54DDD0-74AA-494B-9F69-C1BA5A208B1F", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:myfaces:2.3:next-m2:*:*:*:*:*:*", "matchCriteriaId": "6DBA33A5-97A2-45D4-AAAC-AD6A05888656", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:myfaces:2.3:next-m3:*:*:*:*:*:*", "matchCriteriaId": "CBE81BF3-66DB-4BD7-A767-547A727CF9B3", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:myfaces:2.3:next-m4:*:*:*:*:*:*", "matchCriteriaId": "3A377CFB-B073-4B74-9CE9-0D09A08FCFCF", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:myfaces:3.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "7CD2AAA3-C1C0-43B2-BD90-742B0B85CD65", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", "matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application."}, {"lang": "es", "value": "En la configuraci\u00f3n predeterminada, Apache MyFaces Core versiones 2.2.0 hasta 2.2.13, versiones 2.3.0 hasta 2.3.7, versiones 2.3-next-M1 hasta 2.3-next-M4 y 3.0.0-RC1, usan tokens de tipo cross-site request forgery (CSRF) impl\u00edcitos y expl\u00edcitos criptogr\u00e1ficamente d\u00e9biles. Debido a esa limitaci\u00f3n, es posible (aunque dif\u00edcil) para un atacante calcular un valor futuro de token CSRF y usar ese valor para enga\u00f1ar al usuario a ejecutar acciones no deseadas en una aplicaci\u00f3n"}], "id": "CVE-2021-26296", "lastModified": "2021-06-02T15:15:32.973", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-19T09:15:13.283", "references": [{"source": "security@apache.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2021/Feb/66"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210528-0007/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@apache.org", "type": "Secondary"}]}