Deserialization Vulnerability in Apache MyFaces Trinidad Affects Multiple Versions
CVE-2016-5019

9.8CRITICAL

Key Information:

Vendor
Apache
Status
Myfaces Trinidad
Vendor
CVE Published:
3 October 2016

Summary

A deserialization vulnerability in the CoreResponseStateManager component of Apache MyFaces Trinidad allows attackers to exploit crafted serialized view state strings. This may enable unauthorized actions or data manipulation, presenting significant risks to web applications using vulnerable versions. Proper validation and sanitization of serialized data are crucial to mitigate this security issue.

References

http://mail-archives.apache.org/mod_mbox/myfaces-users/20...
mailing-listx_refsource_MLIST
http://www.securityfocus.com/bid/93236
vdb-entryx_refsource_BID
http://www.securitytracker.com/id/1037633
vdb-entryx_refsource_SECTRACK

EPSS Score

6% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.