-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.apache.myfaces.shared:myfaces-shared-core | maven | >= 1.1.0, < 1.1.8 | 1.1.8 |
| org.apache.myfaces.shared:myfaces-shared-core | maven | >= 1.2.0, < 1.2.9 | 1.2.9 |
| org.apache.myfaces.shared:myfaces-shared-core | maven | >= 2.0.0, < 2.0.1 | 2.0.1 |
| org.apache.myfaces.core:myfaces-impl | maven | >= 1.1.0, < 1.1.8 | 1.1.8 |
| org.apache.myfaces.core:myfaces-impl | maven | >= 1.2.0, < 1.2.9 | 1.2.9 |
| org.apache.myfaces.core:myfaces-impl | maven | >= 2.0.0, < 2.0.1 | 2.0.1 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from missing MAC validation in view state processing. The core functions are encrypt/decrypt in StateUtils which handled cryptographic operations without integrity checks. The patch adds MAC generation in encrypt() and verification in decrypt(), confirming these were the vulnerable points. Reconstruct() would appear in call stacks as it's the entry point for state deserialization that triggers decryption. The removed symmetric() method (replaced with MAC-aware logic) indicates where the vulnerable crypto operations occurred.
JavaJavaOngoing coverage of React2Shell