Lucene search
Veracode Vulnerability DatabaseVERACODE:29454HistoryFeb 22, 2021 - 7:08 a.m.
Insecure Anti-CSRF Tokens
2021-02-2207:08:20
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
28
0.002 Low
EPSS
Percentile
57.3%
myfaces-impl uses an insecure cryptographic random for anti-CSRF tokens. The usage of the insecure tokens would allow an attacker to predict subsequent anti-CSRF token values and successfully perform requests on behalf of the users.
References
packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html
seclists.org/fulldisclosure/2021/Feb/66
github.com/apache/myfaces/pull/149
lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E
security.netapp.com/advisory/ntap-20210528-0007/
Related
ibm
ibm
Security Bulletin: Vulnerability in Apache MyFaces affects WebSphere Application Server (CVE-2021-26296)
2021-04-12 17:31:11
prion
prion
Cross site request forgery (csrf)
2021-02-19 09:15:00
nvd
nvd
CVE-2021-26296
2021-02-19 09:15:13
packetstorm
packetstorm
Apache MyFaces 2.x Cross Site Request Forgery
2021-02-20 00:00:00
cve
cve
CVE-2021-26296
2021-02-19 09:15:13
osv
osv
Cryptographically weak CSRF tokens in Apache MyFaces
2021-06-16 17:31:39
CVE-2021-26296
2021-02-19 09:15:13
redhat
redhat
(RHSA-2021:2439) Important: Open Liberty 21.0.0.6 Runtime security update
2021-06-15 13:03:25
redhatcve
redhatcve
CVE-2021-26296
2021-02-18 21:24:39
zdt
zdt
Apache MyFaces 2.x Cross Site Request Forgery Vulnerability
2021-02-20 00:00:00
github
github
Cryptographically weak CSRF tokens in Apache MyFaces
2021-06-16 17:31:39
cvelist
cvelist