FACES-2361 Security vulnerability with accessing a non-Faces view in JSF portlets

Description

Due to a requirement in Section 4.2.5 of the JSR 329 Specification, CVE-2015-5176 exists in the Liferay Faces Bridge API dependency. For more information about patch availability, see the blog announcement titled Announcement: Patches for Liferay Faces GA5.

This affects the following Liferay Faces (GA5) versions:

  • 3.2.4.1-ga5
  • 3.1.4.1-ga5
  • 3.0.4.1-ga5
  • 3.0.4.1-legacy-ga5
  • 2.2.4.1-ga5
  • 2.1.4.1-ga5

Patches are available for all of the affected versions. The GA6 versions of Liferay Faces are not affected (they have been released recently with the fix applied).

 

Severity

Severity 1

Publication date: Tue, 18 Aug 2015 21:20:00 +0000

Security advisories for Liferay's enterprise offerings (e.g., Liferay DXP) are only listed here since 2023. Historial advisories are availabe in the Help Center.