Security Release for issue #12428

Synopsis

Edbo and Cédric Krier have found that record rules are not enforced by trytond when only reading fields without an SQL type (like Function fields).

Impact

CVSS v3.0 Base Score: 6.5

• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Scope: Unchanged
• Confidentiality: High
• Integrity: None
• Availability: None

Workaround

There is no known workaround.

Resolution

All affected users should upgrade trytond to the latest version.

Affected versions per series:

• trytond:
  • 6.8: <= 6.8.2
  • 6.6: <= 6.6.10
  • 6.0: <= 6.0.33
  • 5.0: <= 5.0.59

Non affected versions per series:

• trytond:
  • 6.8: >= 6.8.3
  • 6.6: >= 6.6.11
  • 6.0: >= 6.0.34
  • 5.0: >= 5.0.60

Reference

• Record rules not enforced when reading only fields without SQL type (#12428) · Issues · Tryton / Tryton · GitLab

Concerns?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the confidential checkbox checked.

A post was split to a new topic: Packages not found on download cdn

This topic was automatically closed after 30 days. New replies are no longer allowed.