NVD Vulnerability Detail

CVE-2021-26296

Summary	In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.
Publication Date	Feb. 19, 2021, 6:15 p.m.
Registration Date	Feb. 20, 2021, 10:02 a.m.
Last Update	Nov. 21, 2024, 2:56 p.m.

Affected software configurations

Configuration2		or higher	or less	more than	less than
cpe:2.3:a:netapp:oncommand_insight:-:::::::*

Related information, measures and tools

No	URL	タグ
1	http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html	Exploit Third Party Advisory VDB Entry
2	http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html	Exploit Third Party Advisory VDB Entry
3	http://seclists.org/fulldisclosure/2021/Feb/66	Mailing List Third Party Advisory
4	http://seclists.org/fulldisclosure/2021/Feb/66	Mailing List Third Party Advisory
5	https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E	Mailing List Vendor Advisory
6	https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E	Mailing List Vendor Advisory
7	https://security.netapp.com/advisory/ntap-20210528-0007/	Third Party Advisory
8	https://security.netapp.com/advisory/ntap-20210528-0007/	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-352	クロスサイト・リクエスト・フォージェリ（CSRF）	https://cwe.mitre.org/data/definitions/352.html
2	CWE-352	同一生成元ポリシー違反	https://cwe.mitre.org/data/definitions/346.html

JVN Vulnerability Information

Apache MyFaces Core におけるクロスサイトリクエストフォージェリの脆弱性

Title	Apache MyFaces Core におけるクロスサイトリクエストフォージェリの脆弱性
Summary	Apache MyFaces Core には、クロスサイトリクエストフォージェリの脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Feb. 19, 2021, midnight
Registration Date	Nov. 8, 2021, 10:37 a.m.
Last Update	Nov. 8, 2021, 10:37 a.m.

Affected System

Apache Software Foundation

MyFaces 2.2.0 から 2.2.13

MyFaces 2.3-next-M1 から 2.3-next-M4

MyFaces 2.3.0 から 2.3.7

MyFaces 3.0.0-RC1

NetApp

OnCommand Insight

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-26296	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26296
National Vulnerability Database (NVD)
2	CVE-2021-26296	https://nvd.nist.gov/vuln/detail/CVE-2021-26296
Pony Mail
3	CVE-2021-26296: Cross-Site Request Forgery (CSRF) vulnerability in Apache MyFaces	https://lists.apache.org/thread.html/r2b73e2356c6155e9ec78fdd8f72a4fac12f3e588014f5f535106ed9b%40%3Cannounce.apache.org%3E

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-352	https://jvndb.jvn.jp/ja/cwe/CWE-352.html

ベンダー情報

No	Name	URL
NetApp Advisory
1	NTAP-20210528-0007	https://security.netapp.com/advisory/ntap-20210528-0007/

その他

No	Name	URL
関連文書
1	Apache MyFaces 2.x Cross Site Request Forgery	http://packetstormsecurity.com/files/161484/Apache-MyFaces-2.x-Cross-Site-Request-Forgery.html

Change Log

No	Changed Details	Date of change
1	[2021年11月08日] 掲載	Nov. 8, 2021, 10:37 a.m.