Security Release for issue #14354

Mahdi Afshar and Abdulfatah Abdillahi have found that trytond sends the trace-back to the clients for unexpected errors. This trace-back may leak information about the server setup.

Impact

CVSS v3.0 Base Score: 4.3

• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Scope: Unchanged
• Confidentiality: Low
• Integrity: None
• Availability: None

Workaround

A possible workaround is to configure an error handler which would remove the trace-back from the response.

Resolution

All affected users should upgrade trytond to the latest version.

Affected versions per series:

• trytond:
  • 7.6: <= 7.6.10
  • 7.4: <= 7.4.20
  • 7.0: <= 7.0.39
  • 6.0: <= 6.0.69

Non affected versions per series:

• trytond:
  • 7.6: >= 7.6.11
  • 7.4: >= 7.4.21
  • 7.0: >= 7.0.40
  • 6.0: >= 6.0.70

Reference

• Information disclosure: unhandled KeyError returns full Python stack trace for unknown fields in JSON-RPC (model.party.party.create) (#14354) · Issues · Tryton / Tryton · GitLab

Concerns?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the confidential checkbox checked.

Why not also add Information Disclosure via Stack Trace in JSON-RPC API (#14355) · Issues · Tryton / Tryton · GitLab as reference?