Skip to content

Cryptographically weak CSRF tokens in Apache MyFaces

High severity GitHub Reviewed Published Jun 16, 2021 to the GitHub Advisory Database • Updated Feb 1, 2023

Package

maven org.apache.myfaces.core:myfaces-core-module (Maven)

Affected versions

< 2.0.25
>= 2.1.0, < 2.1.19
>= 2.2.0, < 2.2.14
>= 2.3.0, < 2.3.8

Patched versions

2.0.25
2.1.19
2.2.14
2.3.8

Description

In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.

Mitigation:
Existing web.xml configuration parameters can be used to direct
MyFaces to use SecureRandom for CSRF token generation:

org.apache.myfaces.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN=secureRandom
org.apache.myfaces.RANDOM_KEY_IN_CSRF_SESSION_TOKEN=secureRandom
org.apache.myfaces.RANDOM_KEY_IN_WEBSOCKET_SESSION_TOKEN=secureRandom

References

Published by the National Vulnerability Database Feb 19, 2021
Reviewed May 7, 2021
Published to the GitHub Advisory Database Jun 16, 2021
Last updated Feb 1, 2023

Severity

High

EPSS score

0.347%
(71st percentile)

CVE ID

CVE-2021-26296

GHSA ID

GHSA-gq67-pp9w-43gp

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.