cvelistv5 - cve-2021-26296

CVE-2021-26296 (GCVE-0-2021-26296)

Vulnerability from cvelistv5

Published

2021-02-19 08:30

Modified

2025-02-13 16:27

Severity ?

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)

Summary

In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.

References

URL

Tags

security@apache.org	http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html	Exploit, Third Party Advisory, VDB Entry
security@apache.org	http://seclists.org/fulldisclosure/2021/Feb/66	Mailing List, Third Party Advisory
security@apache.org	https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E	Mailing List, Vendor Advisory
security@apache.org	https://security.netapp.com/advisory/ntap-20210528-0007/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2021/Feb/66	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E	Mailing List, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20210528-0007/	Third Party Advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache MyFaces Core	Version: Apache MyFaces Core 2.2 < 2.2.14 Version: Apache MyFaces Core 2.3 < 2.3.8 Version: Apache MyFaces Core 2.3-next < 2.3-next-M5 Version: Apache MyFaces Core 3.0 < 3.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T20:19:20.159Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E"
          },
          {
            "name": "20210219 [CSA-2021-001] Cross-Site Request Forgery in Apache MyFaces",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2021/Feb/66"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20210528-0007/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache MyFaces Core",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.2.14",
              "status": "affected",
              "version": "Apache MyFaces Core 2.2",
              "versionType": "custom"
            },
            {
              "lessThan": "2.3.8",
              "status": "affected",
              "version": "Apache MyFaces Core 2.3",
              "versionType": "custom"
            },
            {
              "lessThan": "2.3-next-M5",
              "status": "affected",
              "version": "Apache MyFaces Core 2.3-next",
              "versionType": "custom"
            },
            {
              "lessThan": "3.0.0",
              "status": "affected",
              "version": "Apache MyFaces Core 3.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Apache MyFaces would like to thank Wolfgang Ettlinger (Certitude Consulting GmbH)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-03T20:20:55.000Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E"
        },
        {
          "name": "20210219 [CSA-2021-001] Cross-Site Request Forgery in Apache MyFaces",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2021/Feb/66"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20210528-0007/"
        }
      ],
      "source": {
        "defect": [
          "MYFACES-4373"
        ],
        "discovery": "UNKNOWN"
      },
      "title": "Cross-Site Request Forgery (CSRF) vulnerability in Apache MyFaces",
      "workarounds": [
        {
          "lang": "en",
          "value": "Existing web.xml configuration parameters can be used to direct MyFaces to use SecureRandom for CSRF token generation:\n\norg.apache.myfaces.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN=secureRandom\norg.apache.myfaces.RANDOM_KEY_IN_CSRF_SESSION_TOKEN=secureRandom\norg.apache.myfaces.RANDOM_KEY_IN_WEBSOCKET_SESSION_TOKEN=secureRandom"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-26296",
          "STATE": "PUBLIC",
          "TITLE": "Cross-Site Request Forgery (CSRF) vulnerability in Apache MyFaces"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache MyFaces Core",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "Apache MyFaces Core 2.2",
                            "version_value": "2.2.14"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "Apache MyFaces Core 2.3",
                            "version_value": "2.3.8"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "Apache MyFaces Core 2.3-next",
                            "version_value": "2.3-next-M5"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "Apache MyFaces Core 3.0",
                            "version_value": "3.0.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Apache MyFaces would like to thank Wolfgang Ettlinger (Certitude Consulting GmbH)"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-352 Cross-Site Request Forgery (CSRF)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E"
            },
            {
              "name": "20210219 [CSA-2021-001] Cross-Site Request Forgery in Apache MyFaces",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2021/Feb/66"
            },
            {
              "name": "http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210528-0007/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20210528-0007/"
            }
          ]
        },
        "source": {
          "defect": [
            "MYFACES-4373"
          ],
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Existing web.xml configuration parameters can be used to direct MyFaces to use SecureRandom for CSRF token generation:\n\norg.apache.myfaces.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN=secureRandom\norg.apache.myfaces.RANDOM_KEY_IN_CSRF_SESSION_TOKEN=secureRandom\norg.apache.myfaces.RANDOM_KEY_IN_WEBSOCKET_SESSION_TOKEN=secureRandom"
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-26296",
    "datePublished": "2021-02-19T08:30:14.000Z",
    "dateReserved": "2021-01-28T00:00:00.000Z",
    "dateUpdated": "2025-02-13T16:27:52.470Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-26296\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2021-02-19T09:15:13.283\",\"lastModified\":\"2024-11-21T05:56:02.610\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.\"},{\"lang\":\"es\",\"value\":\"En la configuraci\u00f3n predeterminada, Apache MyFaces Core versiones 2.2.0 hasta 2.2.13, versiones 2.3.0 hasta 2.3.7, versiones 2.3-next-M1 hasta 2.3-next-M4 y 3.0.0-RC1, usan tokens de tipo cross-site request forgery (CSRF) impl\u00edcitos y expl\u00edcitos criptogr\u00e1ficamente d\u00e9biles.\u0026#xa0;Debido a esa limitaci\u00f3n, es posible (aunque dif\u00edcil) para un atacante calcular un valor futuro de token CSRF y usar ese valor para enga\u00f1ar al usuario a ejecutar acciones no deseadas en una aplicaci\u00f3n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:H/Au:N/C:P/I:P/A:P\",\"baseScore\":5.1,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"HIGH\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":4.9,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:myfaces:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.2.0\",\"versionEndIncluding\":\"2.2.13\",\"matchCriteriaId\":\"43C2311F-12BF-4C37-8FF2-B5F555888D92\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:myfaces:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.3.0\",\"versionEndIncluding\":\"2.3.7\",\"matchCriteriaId\":\"ACA9DF3E-01A7-49C4-9E63-1CA07DA1A2C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:myfaces:2.3:next-m1:*:*:*:*:*:*\",\"matchCriteriaId\":\"EF54DDD0-74AA-494B-9F69-C1BA5A208B1F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:myfaces:2.3:next-m2:*:*:*:*:*:*\",\"matchCriteriaId\":\"6DBA33A5-97A2-45D4-AAAC-AD6A05888656\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:myfaces:2.3:next-m3:*:*:*:*:*:*\",\"matchCriteriaId\":\"CBE81BF3-66DB-4BD7-A767-547A727CF9B3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:myfaces:2.3:next-m4:*:*:*:*:*:*\",\"matchCriteriaId\":\"3A377CFB-B073-4B74-9CE9-0D09A08FCFCF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:myfaces:3.0.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7CD2AAA3-C1C0-43B2-BD90-742B0B85CD65\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F1BE6C1F-2565-4E97-92AA-16563E5660A5\"}]}]}],\"references\":[{\"url\":\"http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html\",\"source\":\"security@apache.org\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2021/Feb/66\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20210528-0007/\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2021/Feb/66\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Vendor Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20210528-0007/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

CERTFR-2021-AVI-539

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à l'intégrité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	IBM	N/A	IBM Tivoli Monitoring (installé sur WebSphere Application Server) versions 6.3.0 Fix Pack 7 Service Pack 5
	IBM	N/A	IBM Resilient versions antérieures à 41.0

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6471655 du 16 juillet 2021	None	vendor-advisory
Bulletin de sécurité IBM 6473095 du 16 juillet 2021	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM Tivoli Monitoring (install\u00e9 sur WebSphere Application Server) versions 6.3.0 Fix Pack 7 Service Pack 5",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "IBM Resilient versions ant\u00e9rieures \u00e0 41.0",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2015-5262",
      "url": "https://www.cve.org/CVERecord?id=CVE-2015-5262"
    },
    {
      "name": "CVE-2011-1498",
      "url": "https://www.cve.org/CVERecord?id=CVE-2011-1498"
    },
    {
      "name": "CVE-2019-19919",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-19919"
    },
    {
      "name": "CVE-2021-20453",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20453"
    },
    {
      "name": "CVE-2012-6153",
      "url": "https://www.cve.org/CVERecord?id=CVE-2012-6153"
    },
    {
      "name": "CVE-2014-3577",
      "url": "https://www.cve.org/CVERecord?id=CVE-2014-3577"
    },
    {
      "name": "CVE-2021-20480",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20480"
    },
    {
      "name": "CVE-2021-20454",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-20454"
    },
    {
      "name": "CVE-2021-26296",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-26296"
    },
    {
      "name": "CVE-2021-32820",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-32820"
    },
    {
      "name": "CVE-2020-5258",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-5258"
    }
  ],
  "initial_release_date": "2021-07-19T00:00:00",
  "last_revision_date": "2021-07-19T00:00:00",
  "links": [],
  "reference": "CERTFR-2021-AVI-539",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-07-19T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance\net une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6471655 du 16 juillet 2021",
      "url": "https://www.ibm.com/support/pages/node/6471655"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6473095 du 16 juillet 2021",
      "url": "https://www.ibm.com/support/pages/node/6473095"
    }
  ]
}

CERTFR-2021-AVI-395

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans IBM Spectrum Control. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à l'intégrité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	IBM	Spectrum	Versions antérieures à 5.4.3

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 6454803 du 20 mai 2021

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Versions ant\u00e9rieures \u00e0 5.4.3",
      "product": {
        "name": "Spectrum",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2021-21343",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21343"
    },
    {
      "name": "CVE-2021-21348",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21348"
    },
    {
      "name": "CVE-2021-21344",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21344"
    },
    {
      "name": "CVE-2021-21341",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21341"
    },
    {
      "name": "CVE-2021-3450",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3450"
    },
    {
      "name": "CVE-2020-14781",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-14781"
    },
    {
      "name": "CVE-2020-27221",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-27221"
    },
    {
      "name": "CVE-2021-21347",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21347"
    },
    {
      "name": "CVE-2021-3449",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-3449"
    },
    {
      "name": "CVE-2021-21346",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21346"
    },
    {
      "name": "CVE-2021-21351",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21351"
    },
    {
      "name": "CVE-2021-21345",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21345"
    },
    {
      "name": "CVE-2020-14782",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-14782"
    },
    {
      "name": "CVE-2021-22884",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22884"
    },
    {
      "name": "CVE-2021-22883",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-22883"
    },
    {
      "name": "CVE-2021-21349",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21349"
    },
    {
      "name": "CVE-2021-23840",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-23840"
    },
    {
      "name": "CVE-2021-26296",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-26296"
    },
    {
      "name": "CVE-2021-21342",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21342"
    },
    {
      "name": "CVE-2021-21350",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-21350"
    },
    {
      "name": "CVE-2020-5258",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-5258"
    }
  ],
  "initial_release_date": "2021-05-21T00:00:00",
  "last_revision_date": "2021-05-21T00:00:00",
  "links": [],
  "reference": "CERTFR-2021-AVI-395",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2021-05-21T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans IBM Spectrum\nControl. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM Spectrum Control",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 6454803 du 20 mai 2021",
      "url": "https://www.ibm.com/support/pages/node/6454803"
    }
  ]
}

ghsa-gq67-pp9w-43gp

Vulnerability from github

Published

2021-06-16 17:31

Modified

2021-05-07 21:12

Summary

Cryptographically weak CSRF tokens in Apache MyFaces

Details

Mitigation: Existing web.xml configuration parameters can be used to direct MyFaces to use SecureRandom for CSRF token generation:

org.apache.myfaces.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN=secureRandom org.apache.myfaces.RANDOM_KEY_IN_CSRF_SESSION_TOKEN=secureRandom org.apache.myfaces.RANDOM_KEY_IN_WEBSOCKET_SESSION_TOKEN=secureRandom

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.myfaces.core:myfaces-core-module"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.25"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.myfaces.core:myfaces-core-module"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1.0"
            },
            {
              "fixed": "2.1.19"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.myfaces.core:myfaces-core-module"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2.0"
            },
            {
              "fixed": "2.2.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.myfaces.core:myfaces-core-module"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.3.0"
            },
            {
              "fixed": "2.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-26296"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330",
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-07T21:12:38Z",
    "nvd_published_at": "2021-02-19T09:15:00Z",
    "severity": "HIGH"
  },
  "details": "In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.\n\n\nMitigation:\nExisting web.xml configuration parameters can be used to direct\nMyFaces to use SecureRandom for CSRF token generation:\n\norg.apache.myfaces.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN=secureRandom\norg.apache.myfaces.RANDOM_KEY_IN_CSRF_SESSION_TOKEN=secureRandom\norg.apache.myfaces.RANDOM_KEY_IN_WEBSOCKET_SESSION_TOKEN=secureRandom",
  "id": "GHSA-gq67-pp9w-43gp",
  "modified": "2021-05-07T21:12:38Z",
  "published": "2021-06-16T17:31:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-26296"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/myfaces/commit/cc6e1cc7b9aa17e52452f7f2657b3af9c421b2b2"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/MYFACES-4373"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20210528-0007"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2021/Feb/66"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Cryptographically weak CSRF tokens in Apache MyFaces"
}

gsd-2021-26296

Vulnerability from gsd

Modified

2023-12-13 01:23

Details

Aliases

CVE-2021-26296

Aliases

CVE-2021-26296

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-26296",
    "description": "In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.",
    "id": "GSD-2021-26296",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2021-26296"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-26296"
      ],
      "details": "In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.",
      "id": "GSD-2021-26296",
      "modified": "2023-12-13T01:23:33.277305Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security@apache.org",
        "ID": "CVE-2021-26296",
        "STATE": "PUBLIC",
        "TITLE": "Cross-Site Request Forgery (CSRF) vulnerability in Apache MyFaces"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "Apache MyFaces Core",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "Apache MyFaces Core 2.2",
                          "version_value": "2.2.14"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "Apache MyFaces Core 2.3",
                          "version_value": "2.3.8"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "Apache MyFaces Core 2.3-next",
                          "version_value": "2.3-next-M5"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "Apache MyFaces Core 3.0",
                          "version_value": "3.0.0"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Apache Software Foundation"
            }
          ]
        }
      },
      "credit": [
        {
          "lang": "eng",
          "value": "Apache MyFaces would like to thank Wolfgang Ettlinger (Certitude Consulting GmbH)"
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "impact": {},
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-352 Cross-Site Request Forgery (CSRF)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E"
          },
          {
            "name": "20210219 [CSA-2021-001] Cross-Site Request Forgery in Apache MyFaces",
            "refsource": "FULLDISC",
            "url": "http://seclists.org/fulldisclosure/2021/Feb/66"
          },
          {
            "name": "http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html",
            "refsource": "MISC",
            "url": "http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20210528-0007/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20210528-0007/"
          }
        ]
      },
      "source": {
        "defect": [
          "MYFACES-4373"
        ],
        "discovery": "UNKNOWN"
      },
      "work_around": [
        {
          "lang": "eng",
          "value": "Existing web.xml configuration parameters can be used to direct MyFaces to use SecureRandom for CSRF token generation:\n\norg.apache.myfaces.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN=secureRandom\norg.apache.myfaces.RANDOM_KEY_IN_CSRF_SESSION_TOKEN=secureRandom\norg.apache.myfaces.RANDOM_KEY_IN_WEBSOCKET_SESSION_TOKEN=secureRandom"
        }
      ]
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "(,2.0.25),[2.1.0,2.1.19),[2.2.0,2.2.14),[2.3.0,2.3.8)",
          "affected_versions": "All versions before 2.0.25, all versions starting from 2.1.0 before 2.1.19, all versions starting from 2.2.0 before 2.2.14, all versions starting from 2.3.0 before 2.3.8",
          "cvss_v2": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-352",
            "CWE-352",
            "CWE-937"
          ],
          "date": "2021-06-16",
          "description": "In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.",
          "fixed_versions": [
            "2.0.25",
            "2.1.19",
            "2.2.14",
            "2.3.8"
          ],
          "identifier": "CVE-2021-26296",
          "identifiers": [
            "GHSA-gq67-pp9w-43gp",
            "CVE-2021-26296"
          ],
          "not_impacted": "All versions starting from 2.0.25 before 2.1.0, all versions starting from 2.1.19 before 2.2.0, all versions starting from 2.2.14 before 2.3.0, all versions starting from 2.3.8",
          "package_slug": "maven/org.apache.myfaces.core/myfaces-core-module",
          "pubdate": "2021-06-16",
          "solution": "Upgrade to versions 2.0.25, 2.1.19, 2.2.14, 2.3.8 or above.",
          "title": "Cross-Site Request Forgery (CSRF)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-26296",
            "https://github.com/apache/myfaces/commit/cc6e1cc7b9aa17e52452f7f2657b3af9c421b2b2",
            "https://github.com/advisories/GHSA-gq67-pp9w-43gp"
          ],
          "uuid": "c5e623fd-7710-485c-9464-990c6223d786"
        },
        {
          "affected_range": "[2.2.0,2.2.13],[2.3,2.3.7],[3.0.0]",
          "affected_versions": "All versions starting from 2.2.0 up to 2.2.13, all versions starting from 2.3 up to 2.3.7, version 3.0.0",
          "cvss_v2": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-352",
            "CWE-937"
          ],
          "date": "2021-06-02",
          "description": "In the default configuration, Apache MyFaces Core to to to use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.",
          "fixed_versions": [
            "2.2.14",
            "2.3.8"
          ],
          "identifier": "CVE-2021-26296",
          "identifiers": [
            "CVE-2021-26296"
          ],
          "not_impacted": "All versions before 2.2.0, all versions after 2.2.13 before 2.3, all versions after 2.3.7 before 3.0.0, all versions after 3.0.0",
          "package_slug": "maven/org.apache.myfaces.core/myfaces-impl",
          "pubdate": "2021-02-19",
          "solution": "Upgrade to versions 2.2.14, 2.3.8 or above.",
          "title": "Cross-Site Request Forgery (CSRF)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-26296",
            "http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html",
            "https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E"
          ],
          "uuid": "fedd45b1-fdfd-4a4a-8707-b6f4922f74b5"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:myfaces:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.2.13",
                "versionStartIncluding": "2.2.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:myfaces:2.3:next-m1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:myfaces:2.3:next-m2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:myfaces:2.3:next-m3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:myfaces:2.3:next-m4:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:myfaces:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "2.3.7",
                "versionStartIncluding": "2.3.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:myfaces:3.0.0:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-26296"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-352"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E",
              "refsource": "MISC",
              "tags": [
                "Mailing List",
                "Vendor Advisory"
              ],
              "url": "https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E"
            },
            {
              "name": "20210219 [CSA-2021-001] Cross-Site Request Forgery in Apache MyFaces",
              "refsource": "FULLDISC",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://seclists.org/fulldisclosure/2021/Feb/66"
            },
            {
              "name": "http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20210528-0007/",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20210528-0007/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "HIGH",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.1,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 4.9,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 1.6,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-06-02T15:15Z",
      "publishedDate": "2021-02-19T09:15Z"
    }
  }
}

fkie_cve-2021-26296

Vulnerability from fkie_nvd

Published

2021-02-19 09:15

Modified

2024-11-21 05:56

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security@apache.org	http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html	Exploit, Third Party Advisory, VDB Entry
security@apache.org	http://seclists.org/fulldisclosure/2021/Feb/66	Mailing List, Third Party Advisory
security@apache.org	https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E	Mailing List, Vendor Advisory
security@apache.org	https://security.netapp.com/advisory/ntap-20210528-0007/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html	Exploit, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	http://seclists.org/fulldisclosure/2021/Feb/66	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E	Mailing List, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20210528-0007/	Third Party Advisory

Impacted products

Vendor	Product	Version
apache	myfaces	*
apache	myfaces	*
apache	myfaces	2.3
apache	myfaces	2.3
apache	myfaces	2.3
apache	myfaces	2.3
apache	myfaces	3.0.0
netapp	oncommand_insight	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:myfaces:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "43C2311F-12BF-4C37-8FF2-B5F555888D92",
              "versionEndIncluding": "2.2.13",
              "versionStartIncluding": "2.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:myfaces:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "ACA9DF3E-01A7-49C4-9E63-1CA07DA1A2C2",
              "versionEndIncluding": "2.3.7",
              "versionStartIncluding": "2.3.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:myfaces:2.3:next-m1:*:*:*:*:*:*",
              "matchCriteriaId": "EF54DDD0-74AA-494B-9F69-C1BA5A208B1F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:myfaces:2.3:next-m2:*:*:*:*:*:*",
              "matchCriteriaId": "6DBA33A5-97A2-45D4-AAAC-AD6A05888656",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:myfaces:2.3:next-m3:*:*:*:*:*:*",
              "matchCriteriaId": "CBE81BF3-66DB-4BD7-A767-547A727CF9B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:myfaces:2.3:next-m4:*:*:*:*:*:*",
              "matchCriteriaId": "3A377CFB-B073-4B74-9CE9-0D09A08FCFCF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:myfaces:3.0.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "7CD2AAA3-C1C0-43B2-BD90-742B0B85CD65",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "F1BE6C1F-2565-4E97-92AA-16563E5660A5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application."
    },
    {
      "lang": "es",
      "value": "En la configuraci\u00f3n predeterminada, Apache MyFaces Core versiones 2.2.0 hasta 2.2.13, versiones 2.3.0 hasta 2.3.7, versiones 2.3-next-M1 hasta 2.3-next-M4 y 3.0.0-RC1, usan tokens de tipo cross-site request forgery (CSRF) impl\u00edcitos y expl\u00edcitos criptogr\u00e1ficamente d\u00e9biles.\u0026#xa0;Debido a esa limitaci\u00f3n, es posible (aunque dif\u00edcil) para un atacante calcular un valor futuro de token CSRF y usar ese valor para enga\u00f1ar al usuario a ejecutar acciones no deseadas en una aplicaci\u00f3n"
    }
  ],
  "id": "CVE-2021-26296",
  "lastModified": "2024-11-21T05:56:02.610",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "HIGH",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.1,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 4.9,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-02-19T09:15:13.283",
  "references": [
    {
      "source": "security@apache.org",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2021/Feb/66"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E"
    },
    {
      "source": "security@apache.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20210528-0007/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://seclists.org/fulldisclosure/2021/Feb/66"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Vendor Advisory"
      ],
      "url": "https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20210528-0007/"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

cnvd-2021-13225

Vulnerability from cnvd

Title

Apache MyFaces跨站请求伪造漏洞

Description

Apache MyFaces Trinidad是美国阿帕奇（Apache）基金会的一款包含大量的企业级组件库并支持附件的JSF框架。 Apache MyFaces 中存在跨站请求伪造漏洞。该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。

Severity

中

Formal description

目前厂商暂未发布修复措施解决此安全问题，建议使用此软件的用户随时关注厂商主页或参考网址以获取解决办法： https://access.redhat.com/security/cve/cve-2021-26296

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-26296

Impacted products

Name
['Apache MyFaces >=2.2.0，<=2.2.13', 'Apache MyFaces >=2.3.0，<=2.3.7', 'Apache MyFaces >=2.3-next-M1，<=2.3-next-M4', 'Apache MyFaces 3.0.0-RC1']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-26296",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-26296"
    }
  },
  "description": "Apache MyFaces Trinidad\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u5305\u542b\u5927\u91cf\u7684\u4f01\u4e1a\u7ea7\u7ec4\u4ef6\u5e93\u5e76\u652f\u6301\u9644\u4ef6\u7684JSF\u6846\u67b6\u3002\n\nApache MyFaces \u4e2d\u5b58\u5728\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8eWEB\u5e94\u7528\u7f3a\u5c11\u5bf9\u5ba2\u6237\u7aef\u6570\u636e\u7684\u6b63\u786e\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u5ba2\u6237\u7aef\u4ee3\u7801\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u6682\u672a\u53d1\u5e03\u4fee\u590d\u63aa\u65bd\u89e3\u51b3\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u6216\u53c2\u8003\u7f51\u5740\u4ee5\u83b7\u53d6\u89e3\u51b3\u529e\u6cd5\uff1a\r\nhttps://access.redhat.com/security/cve/cve-2021-26296",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-13225",
  "openTime": "2021-02-27",
  "products": {
    "product": [
      "Apache MyFaces \u003e=2.2.0\uff0c\u003c=2.2.13",
      "Apache MyFaces \u003e=2.3.0\uff0c\u003c=2.3.7",
      "Apache MyFaces \u003e=2.3-next-M1\uff0c\u003c=2.3-next-M4",
      "Apache MyFaces 3.0.0-RC1"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-26296",
  "serverity": "\u4e2d",
  "submitTime": "2021-02-21",
  "title": "Apache MyFaces\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2021-26296 (GCVE-0-2021-26296)

Vulnerability from cvelistv5

CERTFR-2021-AVI-539

Vulnerability from certfr_avis

Solution

CERTFR-2021-AVI-395

Vulnerability from certfr_avis

Solution

ghsa-gq67-pp9w-43gp

Vulnerability from github

gsd-2021-26296

Vulnerability from gsd

fkie_cve-2021-26296

Vulnerability from fkie_nvd

cnvd-2021-13225

Vulnerability from cnvd

Tags

Sightings

Nomenclature