CVE-2016-5019 Information

Description

CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13 1.2.x before 1.2.15 2.0.x before 2.0.2 and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via a crafted serialized view state string.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

http://mail-archives.apache.org/mod_mbox/myfaces-users/201609.mbox/3CCAM1yOjYM2BEW3mLUfX0pNAVLfUFRAw-Bhvkp3UE53DEQzR8Yxsfw40mail.gmail.com3E http://packetstormsecurity.com/files/138920/Apache-MyFaces-Trinidad-Information-Disclosure.html http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/93236 http://www.securitytracker.com/id/1037633 https://issues.apache.org/jira/browse/TRINIDAD-2542 https://www.oracle.com/security-alerts/cpujan2020.html https://www.oracle.com/security-alerts/cpujul2020.html

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8