Friday, February 12, 2021

Tryton News: Security Release for issue10068

Synopsis

A vulnerability in trytond has been found by German Dario Alvarez.
With issue10068, the WSGI server does not prevent serving files outside the root directory. This allows an attacker to retrieve the content of files for which the trytond user has read access.

Impact

CVSS v3.0 Base Score: 7.5

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality: High
  • Integrity: None
  • Availability: None

Workaround

It is possible to setup a reverse-proxy in front of trytond that sanitize the request path.

Resolution

All affected users should upgrade trytond to the latest version.
Affected versions per series:

  • 5.8: <= 5.8.3
  • 5.6: <= 5.6.12
  • 5.0: <=5.0.32

Non affected versions per series:

  • 5.8: >= 5.8.4
  • 5.6: >= 5.6.13
  • 5.0: >=5.0.33

Reference

Concern?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security.

1 post - 1 participant

Read full topic



from Planet Python
via read more
at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

TestDriven.io: Working with Static and Media Files in Django

This article looks at how to work with static and media files in a Django project, locally and in production. from Planet Python via read...