CVE-2016-5019
moderate-risk
Published 2016-10-03
CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13, 1.2.x before 1.2.15, 2.0.x before 2.0.2, and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via a crafted serialized view state string.
Do I need to act?
~
6.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 859ef660eb7362863208cfdc254b3a73f414dbe4, 38e019904dd58b1c45e62bb1cb7d2da58ef2ccb6, cf028379cfc5a30e0159939e65e0c14374231985, 1bf7628b1c3d719061a237b00736f625409ab86a
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (1)
Myfaces Trinidad
Affected Vendors
References (26)
Third Party Advisory
http://packetstormsecurity.com/files/138920/Apache-MyFaces-Trinidad-Information-...
Third Party Advisory
http://www.securityfocus.com/bid/93236
Third Party Advisory
http://www.securitytracker.com/id/1037633
Vendor Advisory
https://issues.apache.org/jira/browse/TRINIDAD-2542
Third Party Advisory
http://packetstormsecurity.com/files/138920/Apache-MyFaces-Trinidad-Information-...
and 6 more references
46
/ 100
moderate-risk
Severity
32/34 · Critical
Exploitability
9/34 · Low
Exposure
5/34 · Minimal