Cross-site Request Forgery (CSRF) Affecting org.apache.myfaces.core:myfaces-core-project package, versions [,2.0.25) [2.1.0,2.2.14) [2.3.0,2.3.8) [2.3-next-M1, 2.3-next-M5) [3.0.0-RC1,3.0.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
19 Feb 2021
19 Feb 2021
Wolfgang Ettlinger (Certitude Consulting GmbH)
How to fix?
org.apache.myfaces.core:myfaces-core-project to version 2.0.25, 2.2.14, 2.3.8, 2.3-next-M5, 3.0.0 or higher.
org.apache.myfaces.core:myfaces-core-project is a MyFaces implementation of the JavaServer Faces 2.3 specification, and consists of an API module (javax.faces.* classes) and an implementation module (org.apache.myfaces.* classes).
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). In the default configuration, Apache MyFaces Core uses cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.