Bug 24428 - CVE-2010-2057: Encrypted View State does not include Message Authentication Code (MAC)
Summary: CVE-2010-2057: Encrypted View State does not include Message Authentication C...
Status: CLOSED FIXED
Alias: None
Product: Sisyphus
Classification: Development
Component: myfaces (show other bugs)
Version: unstable
Hardware: all Linux
: P3 blocker
Assignee: viy
QA Contact: qa-sisyphus
URL: https://issues.apache.org/jira/browse...
Keywords: security
Depends on:
Blocks:
 
Reported: 2010-10-26 19:44 MSD by Vladimir Lettiev
Modified: 2015-10-28 01:07 MSK (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vladimir Lettiev 2010-10-26 19:44:23 MSD
shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack.
Comment 1 viy 2015-10-28 01:07:31 MSK
пакет удален из репозитория