Security Release for issue #14366

News
1

Cédric Krier has found that trytond does not enforce access rights for data export (since version 6.0).

Impact

CVSS v3.0 Base Score: 6.5

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality: High
  • Integrity: None
  • Availability: None

Workaround

There is no workaround.

Resolution

All affected users should upgrade trytond to the latest version.

Affected versions per series:

  • trytond:
    • 7.6: <= 7.6.10
    • 7.4: <= 7.4.20
    • 7.0: <= 7.0.39
    • 6.0: <= 6.0.69

Non affected versions per series:

  • trytond:
    • 7.6: >= 7.6.11
    • 7.4: >= 7.4.21
    • 7.0: >= 7.0.40
    • 6.0: >= 6.0.70

Reference

Concerns?

Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the confidential checkbox checked.