Tuesday, March 10, 2020

Tryton News: Security Release for issue9108

@ced wrote:

Synopsis

A vulnerability in trytond has been found by Maxime Richez.

With issue9108, the trytond server does not enforce access right on wizard relying on the access right of the model on which it runs.
So an authenticated user can execute some wizards for which he does not have the right.

Impact

CVSS v3.0 Base Score: 4.3

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality: None
  • Integrity: Low
  • Availability: None

Workaround

The administrator can set explicit access right on those wizards.

Resolution

All affected users should upgrade trytond to the latest version.
Affected versions per series:

  • 5.4: <= 5.4.4
  • 5.2: <= 5.2.12
  • 5.0: <=5.0.18

Non affected versions per series:

  • 5.4: >= 5.4.5
  • 5.2: >= 5.2.13
  • 5.0: >= 5.0.19

Reference

Concern?

Any security concerns should be reported on the bug-tracker at
https://bugs.tryton.org/ with the type security .

Posts: 1

Participants: 1

Read full topic



from Planet Python
via read more
at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

TestDriven.io: Working with Static and Media Files in Django

This article looks at how to work with static and media files in a Django project, locally and in production. from Planet Python via read...