Security Release for issue #13142

Cédric Krier has found that trytond accepts compressed content from unauthenticated requests which makes it vulnerable to zip bomb attacks.

Impact

CVSS v3.0 Base Score: 5.3

• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Scope: Unchanged
• Confidentiality: None
• Integrity: None
• Availability: Low

Workaround

A proxy can be deployed in front of the trytond server to forbid this kind of request.

Resolution

All affected users should upgrade trytond to the latest version.

Affected versions per series:

• trytond:
  • 7.0: <= 7.0.9
  • 6.8: <= 6.8.14
  • 6.0: <= 6.0.44

Non affected versions per series:

• trytond:
  • 7.0: >= 7.0.10
  • 6.8: >= 6.8.15
  • 6.0: >= 6.0.45

Reference

• Accept request with gzip content encoding may make server vulnerable to zip bomb (#13142) · Issues · Tryton / Tryton · GitLab

Concerns?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the confidential checkbox checked.

A post was merged into an existing topic: Tarball signatures

This topic was automatically closed after 30 days. New replies are no longer allowed.