[ https://issues.apache.org/jira/browse/TRINIDAD-2542?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mike Kienenberger resolved TRINIDAD-2542. ----------------------------------------- Resolution: Fixed Assignee: Leonardo Uribe Fix Version/s: 2.1.2-core 2.0.2-core 1.2.15-core > CVE-2016-5019: MyFaces Trinidad view state deserialization security > vulnerability > --------------------------------------------------------------------------------- > > Key: TRINIDAD-2542 > URL: https://issues.apache.org/jira/browse/TRINIDAD-2542 > Project: MyFaces Trinidad > Issue Type: Bug > Components: Components > Affects Versions: 1.2.14-core , 1.0.13-core , 2.0.1-core, 2.1.1-core > Reporter: Mike Kienenberger > Assignee: Leonardo Uribe > Priority: Critical > Fix For: 1.2.15-core , 2.0.2-core, 2.1.2-core > > > Trinidad’s CoreResponseStateManager both reads and writes view state strings > using ObjectInputStream/ObjectOutputStream directly. By doing so, Trinidad > bypasses the view state security features provided by the JSF implementations > - ie. the view state is not encrypted and is not MAC’ed. > Trinidad’s CoreResponseStateManager will blindly deserialize untrusted view > state strings, which makes Trinidad-based applications vulnerable to > deserialization attacks. -- This message was sent by Atlassian JIRA (v6.3.4#6332)