Advisories for Maven/Org.apache.myfaces.core/Myfaces-Impl package

In the default configuration, Apache MyFaces Core to to to use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.

This package allow remote attackers to read arbitrary files via a .. in the ln parameter to faces/javax.faces.resource/web.xml or the PATH_INFO to faces/javax.faces.resource/.

shared/util/StateUtils.java in this package uses an encrypted View State without a Message Authentication Code (MAC), which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracle attack.