Security Release for issue10068


A vulnerability in trytond has been found by German Dario Alvarez.
With issue10068, the WSGI server does not prevent serving files outside the root directory. This allows an attacker to retrieve the content of files for which the trytond user has read access.


CVSS v3.0 Base Score: 7.5

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality: High
  • Integrity: None
  • Availability: None


It is possible to setup a reverse-proxy in front of trytond that sanitize the request path.


All affected users should upgrade trytond to the latest version.
Affected versions per series:

  • 5.8: <= 5.8.3
  • 5.6: <= 5.6.12
  • 5.0: <=5.0.32

Non affected versions per series:

  • 5.8: >= 5.8.4
  • 5.6: >= 5.6.13
  • 5.0: >=5.0.33



Any security concerns should be reported on the bug-tracker at with the type security.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.