Lucene search

[email protected]CVE-2016-5019

HistoryOct 03, 2016 - 6:59 p.m.

CVE-2016-5019

2016-10-0318:59:04

CWE-502

[email protected]

web.nvd.nist.gov

apache

myfaces

trinidad

cve-2016-5019

deserialization

attack

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

72.9%

JSON

CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13, 1.2.x before 1.2.15, 2.0.x before 2.0.2, and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via a crafted serialized view state string.

Affected configurations

NVD

Node

apachemyfaces_trinidadRange1.0.0–1.0.13

apachemyfaces_trinidadRange1.2.0–1.2.15

apachemyfaces_trinidadRange2.0.0–2.0.2

apachemyfaces_trinidadRange2.1.0–2.1.2

CPENameOperatorVersion
apache:myfaces_trinidadapache myfaces trinidadlt1.0.13
apache:myfaces_trinidadapache myfaces trinidadlt1.2.15
apache:myfaces_trinidadapache myfaces trinidadlt2.0.2
apache:myfaces_trinidadapache myfaces trinidadlt2.1.2

CPE	Name	Operator	Version
apache:myfaces_trinidad	apache myfaces trinidad	lt	1.0.13
apache:myfaces_trinidad	apache myfaces trinidad	lt	1.2.15
apache:myfaces_trinidad	apache myfaces trinidad	lt	2.0.2
apache:myfaces_trinidad	apache myfaces trinidad	lt	2.1.2

References

mail-archives.apache.org/mod_mbox/myfaces-users/201609.mbox/%3CCAM1yOjYM%2BEW3mLUfX0pNAVLfUFRAw-Bhvkp3UE5%3DEQzR8Yxsfw%40mail.gmail.com%3E

packetstormsecurity.com/files/138920/Apache-MyFaces-Trinidad-Information-Disclosure.html

www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

www.securityfocus.com/bid/93236

www.securitytracker.com/id/1037633

issues.apache.org/jira/browse/TRINIDAD-2542

www.oracle.com/security-alerts/cpujan2020.html

www.oracle.com/security-alerts/cpujul2020.html

Social References

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

72.9%

JSON

Related for CVE-2016-5019

symantec1 osv1 zdt1 prion1 github1 cvelist1 nvd1 nessus3 oracle10