Uploaded image for project: 'MyFaces Trinidad'
  1. MyFaces Trinidad
  2. TRINIDAD-2542

CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerability

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 1.2.14-core , 1.0.13-core , 2.0.1-core, 2.1.1-core
    • 1.2.15-core , 2.0.2-core, 2.1.2-core
    • Components
    • None

    Description

      Trinidad’s CoreResponseStateManager both reads and writes view state strings using ObjectInputStream/ObjectOutputStream directly. By doing so, Trinidad bypasses the view state security features provided by the JSF implementations - ie. the view state is not encrypted and is not MAC’ed.

      Trinidad’s CoreResponseStateManager will blindly deserialize untrusted view state strings, which makes Trinidad-based applications vulnerable to deserialization attacks.

      Attachments

        Activity

          People

            lu4242 Leonardo Uribe
            mkienenb Mike Kienenberger
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: