Tryton Discussion

Security Release for issue #13142

ced (Cédric Krier) April 17, 2024, 4:00pm 1

Cédric Krier has found that trytond accepts compressed content from unauthenticated requests which makes it vulnerable to zip bomb attacks.

Impact

CVSS v3.0 Base Score: 5.3

Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: None
Availability: Low

Workaround

A proxy can be deployed in front of the trytond server to forbid this kind of request.

Resolution

All affected users should upgrade trytond to the latest version.

Affected versions per series:

trytond:
- 7.0: <= 7.0.9
- 6.8: <= 6.8.14
- 6.0: <= 6.0.44

Non affected versions per series:

trytond:
- 7.0: >= 7.0.10
- 6.8: >= 6.8.15
- 6.0: >= 6.0.45

Reference

Accept request with gzip content encoding may make server vulnerable to zip bomb (#13142) · Issues · Tryton / Tryton · GitLab

Concerns?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the confidential checkbox checked.

3 Likes

ced (Cédric Krier) Split this topic April 18, 2024, 8:16am 2

A post was merged into an existing topic: Tarball signatures