ID CVE-2016-5019
Summary CoreResponseStateManager in Apache MyFaces Trinidad 1.0.0 through 1.0.13, 1.2.x before 1.2.15, 2.0.x before 2.0.2, and 2.1.x before 2.1.2 might allow attackers to conduct deserialization attacks via a crafted serialized view state string.
References
Vulnerable Configurations
CVSS
Base: 7.5 (as of 04-10-2016 - 14:41)
Impact:
Exploitability:
CWE CWE-502
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Misc.
    NASL id ORACLE_JDEVELOPER_CPU_JULY_2016.NASL
    description The version of Oracle JDeveloper installed on the remote host is missing a security patch. It is, therefore, affected by multiple remote code execution vulnerabilities : - A remote code execution vulnerability exists in the Application Development Framework (ADF) Faces subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2016-3504) - A remote code execution vulnerability exists in the Apache MyFaces Trinidad component in the CoreResponseStateManager subcomponent due to improper validation of the ObjectInputStream and ObjectOutputStream strings prior to deserialization. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-5019)
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 93592
    published 2016-09-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93592
    title Oracle JDeveloper Multiple RCE (July 2016 CPU)
  • NASL family CGI abuses
    NASL id ORACLE_PRIMAVERA_P6_EPPM_CPU_JUL_2017.NASL
    description According to its self-reported version number, the Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) installation running on the remote web server is 8.3.x prior to 8.3.15.4, 8.4.x prior to 8.4.15.2, 15.x prior to 15.2.15.1, or 16.x prior to 16.2.9.0. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the Web Access component, specifically in Apache MyFaces Trinidad in CoreResponseStateManager, due to using ObjectInputStream and ObjectOutputStream strings directly without securely deserializing Java input. An unauthenticated, remote attacker can exploit this, via a crafted serialized view state string, to execute arbitrary code. (CVE-2016-5019) - Multiple unspecified flaws exist in the Web Access component that allow an authenticated, remote attacker to disclose sensitive information. (CVE-2017-10038, CVE-2017-10160) - An unspecified flaw exists in the Web Access component that allows an authenticated, remote attacker to impact confidentiality and integrity. (CVE-2017-10046) - An unspecified flaw exists in the Web Access component that allows an authenticated, remote attacker to impact confidentiality, integrity, and availability. (CVE-2017-10131) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-07-25
    plugin id 101900
    published 2017-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101900
    title Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) Multiple Vulnerabilities (July 2017 CPU)
  • NASL family Misc.
    NASL id ORACLE_ENTERPRISE_MANAGER_JAN_2017_CPU.NASL
    description The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in the Enterprise Manager Base Platform component : - A flaw exists in the Bouncy Castle Java library due to improper validation of a point within the elliptic curve. An unauthenticated, remote attacker can exploit this to obtain private keys by using a series of specially crafted elliptic curve Diffie-Hellman (ECDH) key exchanges, also known as an 'invalid curve attack.' (CVE-2015-7940) - A flaw exists in Apache MyFaces Trinidad, specifically in the CoreResponseStateManager component, due to the ObjectInputStream and ObjectOutputStream strings being used directly without securely deserializing Java input. An unauthenticated, remote attacker can exploit this, via a deserialization attack using a crafted serialized view state string, to have an unspecified impact that may include the execution of arbitrary code. (CVE-2016-5019) Note that the product was formerly known as Enterprise Manager Grid Control.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 96777
    published 2017-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96777
    title Oracle Enterprise Manager Cloud Control Multiple Vulnerabilities (January 2017 CPU)
refmap via4
bid 93236
confirm
misc http://packetstormsecurity.com/files/138920/Apache-MyFaces-Trinidad-Information-Disclosure.html
mlist [myfaces-users] 20160929 Re: CVE-2016-5019: MyFaces Trinidad view state deserialization security vulnerability
sectrack 1037633
Last major update 26-10-2016 - 22:00
Published 03-10-2016 - 14:59
Last modified 28-11-2018 - 16:52
Back to Top