CVE-2016-5019

Name of the Vulnerable Software and Affected Versions Apache MyFaces Trinidad versions 1.0.0 through 1.0.13 Apache MyFaces Trinidad versions 1.2.x before 1.2.15 Apache MyFaces Trinidad versions 2.0.x before 2.0.2 Apache MyFaces Trinidad versions 2.1.x before 2.1.2

Description The issue allows attackers to conduct deserialization attacks via a crafted serialized view state string. This could potentially be exploited by sending a malicious string to the CoreResponseStateManager in Apache MyFaces Trinidad.

Recommendations For versions 1.0.0 through 1.0.13, update to a version after 1.0.13 to resolve the issue. For versions 1.2.x before 1.2.15, update to version 1.2.15 or later to resolve the issue. For versions 2.0.x before 2.0.2, update to version 2.0.2 or later to resolve the issue. For versions 2.1.x before 2.1.2, update to version 2.1.2 or later to resolve the issue. As a temporary workaround, consider restricting the input to the CoreResponseStateManager to prevent deserialization attacks via crafted serialized view state strings.