Clarification: The first line in this CVE [1] was a copy error
during message composition and is not part of the CVE. This line can
make it sound as if CVE-2016-5019 is only an information disclosure
vulnerability rather than a deserialization attack vector. I
apologize for the confusion.
On
ility" was a cut error. It should
be "deserialization security vulnerability" -- I'll see what I can do to get
that corrected.
> CVE-2016-5019: MyFaces Trinidad view state deserialization se
http://seclists.org/oss-sec/2016/q3/667
> CVE-2016-5019: MyFaces Trinidad view state deserialization security
> vulnerability
> -
>
> Key: TRINIDAD-2542
> URL: https://
will
prevent
certain well-known vectors of attack, but will not entirely resolve this issue.
> CVE-2016-5019: MyFaces Trinidad view state deserialization security
> vulnerability
> -
>
> Key
-core
2.0.2-core
1.2.15-core
> CVE-2016-5019: MyFaces Trinidad view state deserialization security
> vulnerability
> -
>
> Key: TRINIDAD-2542
>
CVE-2016-5019 Apache MyFaces Trinidad information disclosure vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Trinidad from 1.0.0 to 1.0.13
Trinidad from 1.2.1 to 1.2.14
Trinidad from 2.0.0 to 2.0.1
Trinidad from 2.1.0 to 2.1.1
Description: