Moderate severityNVD Advisory· Published Oct 20, 2010· Updated Apr 29, 2026
CVE-2010-2057
CVE-2010-2057
Description
shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.myfaces.shared:myfaces-shared-coreMaven | >= 1.1.0, < 1.1.8 | 1.1.8 |
org.apache.myfaces.shared:myfaces-shared-coreMaven | >= 1.2.0, < 1.2.9 | 1.2.9 |
org.apache.myfaces.shared:myfaces-shared-coreMaven | >= 2.0.0, < 2.0.1 | 2.0.1 |
org.apache.myfaces.core:myfaces-implMaven | >= 1.1.0, < 1.1.8 | 1.1.8 |
org.apache.myfaces.core:myfaces-implMaven | >= 1.2.0, < 1.2.9 | 1.2.9 |
org.apache.myfaces.core:myfaces-implMaven | >= 2.0.0, < 2.0.1 | 2.0.1 |
Affected products
16cpe:2.3:a:apache:myfaces:1.1.0:*:*:*:*:*:*:*+ 15 more
- cpe:2.3:a:apache:myfaces:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:myfaces:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:myfaces:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:myfaces:1.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:myfaces:1.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:myfaces:1.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:myfaces:1.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:myfaces:1.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:myfaces:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:myfaces:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:myfaces:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:myfaces:1.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:myfaces:1.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:myfaces:1.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:myfaces:1.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:myfaces:2.0.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- svn.apache.org/viewvc/myfaces/shared/trunk/core/src/main/java/org/apache/myfaces/shared/util/StateUtils.javanvdPatchWEB
- github.com/advisories/GHSA-4fv4-cq5v-x45mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2010-2057ghsaADVISORY
- bugzilla.redhat.com/show_bug.cginvdWEB
- issues.apache.org/jira/browse/MYFACES-2749nvdWEB
News mentions
0No linked articles in our index yet.