-
Type:
Bug
-
Status: Closed
-
Priority:
Critical
-
Resolution: Fixed
-
Affects Version/s: liferay-faces-2.1.0-ga1, liferay-faces-2.1.1-ga2, liferay-faces-2.1.2-ga3, liferay-faces-2.1.3-ga4, liferay-faces-2.1.4-ga5, liferay-faces-2.2.4-ga5, liferay-faces-3.0.0-legacy-ga1, liferay-faces-3.0.1-legacy-ga2, liferay-faces-3.0.2-legacy-ga3, liferay-faces-3.0.3-legacy-ga4, liferay-faces-3.0.4-legacy-ga5, liferay-faces-3.0.0-ga1, liferay-faces-3.0.1-ga2, liferay-faces-3.0.2-ga3, liferay-faces-3.0.3-ga4, liferay-faces-3.0.4-ga5, liferay-faces-3.1.0-ga1, liferay-faces-3.1.1-ga2, liferay-faces-3.1.2-ga3, liferay-faces-3.1.3-ga4, liferay-faces-3.1.4-ga5, liferay-faces-3.2.4-ga5, liferay-faces-4.2.5-ga6
-
Component/s: Liferay Faces Bridge Impl / Demos / Tests
Due to a requirement in Section 5.2.7 of the JSR 329 Specification, CVE-2015-3244 exists in Liferay Faces Bridge. In addition, the "resource excludes" requirements of the javax.faces.application.ResourceHandler abstract class are not implemented.
See also https://web.liferay.com/group/customer/products/faces/security-vulnerability/lsv-71.