{"containers": {"cna": {"affected": [{"product": "Apache MyFaces Core", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "2.2.14", "status": "affected", "version": "Apache MyFaces Core 2.2", "versionType": "custom"}, {"lessThan": "2.3.8", "status": "affected", "version": "Apache MyFaces Core 2.3", "versionType": "custom"}, {"lessThan": "2.3-next-M5", "status": "affected", "version": "Apache MyFaces Core 2.3-next", "versionType": "custom"}, {"lessThan": "3.0.0", "status": "affected", "version": "Apache MyFaces Core 3.0", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Apache MyFaces would like to thank Wolfgang Ettlinger (Certitude Consulting GmbH)"}], "descriptions": [{"lang": "en", "value": "In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2024-08-03T20:20:55.000Z", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E"}, {"name": "20210219 [CSA-2021-001] Cross-Site Request Forgery in Apache MyFaces", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2021/Feb/66"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20210528-0007/"}], "source": {"defect": ["MYFACES-4373"], "discovery": "UNKNOWN"}, "title": "Cross-Site Request Forgery (CSRF) vulnerability in Apache MyFaces", "workarounds": [{"lang": "en", "value": "Existing web.xml configuration parameters can be used to direct MyFaces to use SecureRandom for CSRF token generation:\n\norg.apache.myfaces.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN=secureRandom\norg.apache.myfaces.RANDOM_KEY_IN_CSRF_SESSION_TOKEN=secureRandom\norg.apache.myfaces.RANDOM_KEY_IN_WEBSOCKET_SESSION_TOKEN=secureRandom"}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-26296", "STATE": "PUBLIC", "TITLE": "Cross-Site Request Forgery (CSRF) vulnerability in Apache MyFaces"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache MyFaces Core", "version": {"version_data": [{"version_affected": "<", "version_name": "Apache MyFaces Core 2.2", "version_value": "2.2.14"}, {"version_affected": "<", "version_name": "Apache MyFaces Core 2.3", "version_value": "2.3.8"}, {"version_affected": "<", "version_name": "Apache MyFaces Core 2.3-next", "version_value": "2.3-next-M5"}, {"version_affected": "<", "version_name": "Apache MyFaces Core 3.0", "version_value": "3.0.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "Apache MyFaces would like to thank Wolfgang Ettlinger (Certitude Consulting GmbH)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E"}, {"name": "20210219 [CSA-2021-001] Cross-Site Request Forgery in Apache MyFaces", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2021/Feb/66"}, {"name": "http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html"}, {"name": "https://security.netapp.com/advisory/ntap-20210528-0007/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210528-0007/"}]}, "source": {"defect": ["MYFACES-4373"], "discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "Existing web.xml configuration parameters can be used to direct MyFaces to use SecureRandom for CSRF token generation:\n\norg.apache.myfaces.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN=secureRandom\norg.apache.myfaces.RANDOM_KEY_IN_CSRF_SESSION_TOKEN=secureRandom\norg.apache.myfaces.RANDOM_KEY_IN_WEBSOCKET_SESSION_TOKEN=secureRandom"}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T20:19:20.159Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E"}, {"name": "20210219 [CSA-2021-001] Cross-Site Request Forgery in Apache MyFaces", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2021/Feb/66"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20210528-0007/"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-26296", "datePublished": "2021-02-19T08:30:14.000Z", "dateReserved": "2021-01-28T00:00:00.000Z", "dateUpdated": "2025-02-13T16:27:52.470Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:myfaces:*:*:*:*:*:*:*:*", "matchCriteriaId": "43C2311F-12BF-4C37-8FF2-B5F555888D92", "versionEndIncluding": "2.2.13", "versionStartIncluding": "2.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:myfaces:*:*:*:*:*:*:*:*", "matchCriteriaId": "ACA9DF3E-01A7-49C4-9E63-1CA07DA1A2C2", "versionEndIncluding": "2.3.7", "versionStartIncluding": "2.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:myfaces:2.3:next-m1:*:*:*:*:*:*", "matchCriteriaId": "EF54DDD0-74AA-494B-9F69-C1BA5A208B1F", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:myfaces:2.3:next-m2:*:*:*:*:*:*", "matchCriteriaId": "6DBA33A5-97A2-45D4-AAAC-AD6A05888656", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:myfaces:2.3:next-m3:*:*:*:*:*:*", "matchCriteriaId": "CBE81BF3-66DB-4BD7-A767-547A727CF9B3", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:myfaces:2.3:next-m4:*:*:*:*:*:*", "matchCriteriaId": "3A377CFB-B073-4B74-9CE9-0D09A08FCFCF", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:myfaces:3.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "7CD2AAA3-C1C0-43B2-BD90-742B0B85CD65", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", "matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application."}, {"lang": "es", "value": "En la configuraci\u00f3n predeterminada, Apache MyFaces Core versiones 2.2.0 hasta 2.2.13, versiones 2.3.0 hasta 2.3.7, versiones 2.3-next-M1 hasta 2.3-next-M4 y 3.0.0-RC1, usan tokens de tipo cross-site request forgery (CSRF) impl\u00edcitos y expl\u00edcitos criptogr\u00e1ficamente d\u00e9biles. Debido a esa limitaci\u00f3n, es posible (aunque dif\u00edcil) para un atacante calcular un valor futuro de token CSRF y usar ese valor para enga\u00f1ar al usuario a ejecutar acciones no deseadas en una aplicaci\u00f3n"}], "id": "CVE-2021-26296", "lastModified": "2024-11-21T05:56:02.610", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 4.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-19T09:15:13.283", "references": [{"source": "security@apache.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2021/Feb/66"}, {"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210528-0007/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2021/Feb/66"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210528-0007/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "myfaces: Cross-site request forgery vulnerability in Apache MyFaces", "id": "1930409", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1930409"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-352", "details": ["In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application."], "name": "CVE-2021-26296", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Will not fix", "package_name": "jsf-impl-myfaces", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "myfaces-impl", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "myfaces-impl", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "myfaces-impl", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Will not fix", "package_name": "jsf-impl-myfaces", "product_name": "Red Hat Process Automation 7"}], "public_date": "2021-02-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-26296\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-26296"], "statement": "Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of RHOSP 14 and is only receiving security fixes for Important and Critical flaws.", "threat_severity": "Moderate"}