Uploaded image for project: 'MyFaces Trinidad'
  1. MyFaces Trinidad
  2. TRINIDAD-2542

CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerability

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 1.2.14-core , 1.0.13-core , 2.0.1-core, 2.1.1-core
    • Component/s: Components
    • Labels:
      None

      Description

      Trinidad’s CoreResponseStateManager both reads and writes view state strings using ObjectInputStream/ObjectOutputStream directly. By doing so, Trinidad bypasses the view state security features provided by the JSF implementations - ie. the view state is not encrypted and is not MAC’ed.

      Trinidad’s CoreResponseStateManager will blindly deserialize untrusted view state strings, which makes Trinidad-based applications vulnerable to deserialization attacks.

        Attachments

          Activity

            People

            • Assignee:
              lu4242 Leonardo Uribe
              Reporter:
              mkienenb Mike Kienenberger
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: