VulnerableCode Package Details - pkg:maven/org.apache.myfaces.core/myfaces-impl@3.0.1

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-g765-9v1u-augp	Cryptographically weak CSRF tokens in Apache MyFaces In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application. Mitigation: Existing web.xml configuration parameters can be used to direct MyFaces to use SecureRandom for CSRF token generation: org.apache.myfaces.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN=secureRandom org.apache.myfaces.RANDOM_KEY_IN_CSRF_SESSION_TOKEN=secureRandom org.apache.myfaces.RANDOM_KEY_IN_WEBSOCKET_SESSION_TOKEN=secureRandom	CVE-2021-26296 GHSA-gq67-pp9w-43gp

Vulnerability

Summary

Aliases

VCID-g765-9v1u-augp

Cryptographically weak CSRF tokens in Apache MyFaces In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application. Mitigation: Existing web.xml configuration parameters can be used to direct MyFaces to use SecureRandom for CSRF token generation: org.apache.myfaces.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN=secureRandom org.apache.myfaces.RANDOM_KEY_IN_CSRF_SESSION_TOKEN=secureRandom org.apache.myfaces.RANDOM_KEY_IN_WEBSOCKET_SESSION_TOKEN=secureRandom

CVE-2021-26296
GHSA-gq67-pp9w-43gp

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:17:35.769787+00:00	GitLab Importer	Fixing	VCID-g765-9v1u-augp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.myfaces.core/myfaces-impl/CVE-2021-26296.yml	38.4.0
2026-04-11T22:29:45.571328+00:00	GitLab Importer	Fixing	VCID-g765-9v1u-augp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.myfaces.core/myfaces-impl/CVE-2021-26296.yml	38.3.0
2026-04-02T22:41:15.762180+00:00	GitLab Importer	Fixing	VCID-g765-9v1u-augp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.myfaces.core/myfaces-impl/CVE-2021-26296.yml	38.1.0
2026-04-01T16:58:46.565196+00:00	GitLab Importer	Fixing	VCID-g765-9v1u-augp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.myfaces.core/myfaces-impl/CVE-2021-26296.yml	38.0.0