CVE-2010-4007
Description
Oracle Mojarra uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack, a related issue to CVE-2010-2057.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Oracle Mojarra's encrypted View State lacks a MAC, enabling padding oracle attacks that allow remote attackers to modify the state.
Vulnerability
Oracle Mojarra (the JSF reference implementation) encrypts the View State but does not include a Message Authentication Code (MAC) to verify integrity. This design flaw, related to CVE-2010-2057 affecting Apache MyFaces, makes the encrypted state susceptible to padding oracle attacks. The vulnerability affects all versions of Mojarra that use client-side state saving with encryption. [1][2]
Exploitation
An attacker with network access to a Mojarra-based application can send crafted requests containing modified encrypted View State values. By observing the server's responses (e.g., error messages or timing differences), the attacker can perform a padding oracle attack to decrypt and then re-encrypt the state with arbitrary modifications. No authentication is required beyond the ability to submit HTTP requests. [1][2]
Impact
Successful exploitation allows the attacker to modify the View State, potentially altering application behavior, bypassing authorization checks, or injecting malicious data. This can lead to information disclosure, privilege escalation, or other client-side manipulation. The attack does not require prior knowledge of the encryption key. [1][2]
Mitigation
Oracle has not released a specific fix for Mojarra; the recommended mitigation is to switch to server-side state saving, which transmits only an identifier and prevents modification of the component tree. For applications that must use client-side state saving, implement a custom MAC or upgrade to a version that includes integrity protection. As of the publication date, no official patch is available. [2]
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
23cpe:2.3:a:oracle:mojarra:1.1:*:*:*:*:*:*:*+ 22 more
- cpe:2.3:a:oracle:mojarra:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mojarra:1.1_02:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mojarra:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mojarra:1.2_01:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mojarra:1.2_02:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mojarra:1.2_03:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mojarra:1.2_04:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mojarra:1.2_05:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mojarra:1.2_06:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mojarra:1.2_07:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mojarra:1.2_08:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mojarra:1.2_09:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mojarra:1.2_10:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mojarra:1.2_11:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mojarra:1.2_12:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mojarra:1.2_13:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mojarra:1.2_14:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mojarra:1.2_15:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mojarra:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mojarra:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mojarra:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:mojarra:2.0.3:*:*:*:*:*:*:*
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.