VYPR
Moderate severityNVD Advisory· Published Oct 20, 2010· Updated Jun 16, 2026

CVE-2010-2057

CVE-2010-2057

Description

shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.myfaces.shared:myfaces-shared-coreMaven
>= 1.1.0, < 1.1.81.1.8
org.apache.myfaces.shared:myfaces-shared-coreMaven
>= 1.2.0, < 1.2.91.2.9
org.apache.myfaces.shared:myfaces-shared-coreMaven
>= 2.0.0, < 2.0.12.0.1
org.apache.myfaces.core:myfaces-implMaven
>= 1.1.0, < 1.1.81.1.8
org.apache.myfaces.core:myfaces-implMaven
>= 1.2.0, < 1.2.91.2.9
org.apache.myfaces.core:myfaces-implMaven
>= 2.0.0, < 2.0.12.0.1

Affected products

18
  • Apache/Myfaces16 versions
    cpe:2.3:a:apache:myfaces:1.1.0:*:*:*:*:*:*:*+ 15 more
    • cpe:2.3:a:apache:myfaces:1.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:myfaces:1.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:myfaces:1.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:myfaces:1.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:myfaces:1.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:myfaces:1.1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:myfaces:1.1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:myfaces:1.1.7:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:myfaces:1.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:myfaces:1.2.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:myfaces:1.2.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:myfaces:1.2.5:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:myfaces:1.2.6:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:myfaces:1.2.7:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:myfaces:1.2.8:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:myfaces:2.0.0:*:*:*:*:*:*:*
  • ghsa-coords2 versions
    >= 1.1.0, < 1.1.8+ 1 more
    • (no CPE)range: >= 1.1.0, < 1.1.8
    • (no CPE)range: >= 1.1.0, < 1.1.8

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.