Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 18 Feb 2021 12:53:39 -0500
From: Bill Lucy <>
Subject: CVE-2021-26296: Cross-Site Request Forgery (CSRF) vulnerability in
 Apache MyFaces

In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13,
2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use
cryptographically weak implicit and explicit cross-site request forgery
(CSRF) tokens. Due to that limitation, it is possible (although difficult)
for an attacker to calculate a future CSRF token value and to use that
value to trick a user into executing unwanted actions on an application.

This issue is being tracked as MYFACES-4373

Existing web.xml configuration parameters can be used to direct MyFaces to
use SecureRandom for CSRF token generation:


Apache MyFaces would like to thank Wolfgang Ettlinger (Certitude Consulting

Bill Lucy, MyFaces PMC

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.