Security Release for issue #14220

News
1

Luis Falcon has found that trytond may log sensitive data like passwords when the logging level is set to INFO.

Impact

CVSS v3.0 Base Score: 4.2

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality: High
  • Integrity: None
  • Availability: None

Workaround

Increasing the logging level above INFO prevents logging of the sensitive data.

Resolution

All affected users should upgrade trytond to the latest version.

Affected versions per series:

  • trytond:
    • 7.6: <= 7.6.6
    • 7.4: <= 7.4.16
    • 7.0: <= 7.0.35

Non affected versions per series:

  • trytond:
    • 7.6: >= 7.6.7
    • 7.4: >= 7.4.17
    • 7.0: >= 7.0.36

Reference

Concerns?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the confidential checkbox checked.

1 Like