CVE-2021-26296

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-26296
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-26296.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-26296
Aliases
Published
2021-02-19T09:15:13.283Z
Modified
2026-04-10T04:33:29.373435Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.

References

Affected packages

Git / github.com/apache/myfaces

Affected ranges

Type
GIT
Repo
https://github.com/apache/myfaces
Events
Introduced
7f14c1af9c4de563fe32714688e88cfd0265f3f1
Last affected
2005dd31c1e63456ba01f1b23997ff3dfb81c718
Introduced
c9a1fc5cdd54470443dc6ebd1f479caefb3cf87f
Last affected
ff4270d98fc76abe647eed2360d16f82e142345e
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
1bfe848e4f224bb043178aafaa3451e2d32f0c97
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
f3c985f28479cc78cbb4197dea4b64d8a955f1bf
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
9ed979f8fd93b8cea576f31ee4795cde114efa37
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
3c648fff9da7640705d9f7395992c42945fd8a44
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
a3d54b6c45b2fc15efba645f590d065b8b7ee561
Database specific 
{
    "versions": [
        {
            "introduced": "2.2.0"
        },
        {
            "last_affected": "2.2.13"
        },
        {
            "introduced": "2.3.0"
        },
        {
            "last_affected": "2.3.7"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.3-next\\-m1"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.3-next\\-m2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.3-next\\-m3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.3-next\\-m4"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.0.0-rc1"
        }
    ]
}

Affected versions

myfaces-core-module-2.*
myfaces-core-module-2.2.0
myfaces-core-module-2.2.1
myfaces-core-module-2.2.10
myfaces-core-module-2.2.11
myfaces-core-module-2.2.12
myfaces-core-module-2.2.13
myfaces-core-module-2.2.2
myfaces-core-module-2.2.3
myfaces-core-module-2.2.4
myfaces-core-module-2.2.5
myfaces-core-module-2.2.6
myfaces-core-module-2.2.7
myfaces-core-module-2.2.8
myfaces-core-module-2.2.9
myfaces-core-module-2.3.0-beta
myfaces-core-module-2.3.1
myfaces-core-module-2.3.2
myfaces-core-module-2.3.3
myfaces-core-module-2.3.4
myfaces-core-module-2.3.5
myfaces-core-module-2.3.6
myfaces-core-module-2.3.7
myfaces-core-module-3.*
myfaces-core-module-3.0.0-RC1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-26296.json"