Synopsis

A vulnerability in trytond has been found by José Antonio Díaz Miralles (@tiyujopite).
Due to issue12108, the Tryton server does not refresh the authenticated user data but instead uses the values from the first request.

Resolution

A fix for all supported versions has been released.

Affected versions per supported series:

trytond:
    6.6: <= 6.6.5
    6.4: <= 6.4.12
    6.0: <= 6.0.28

Non affected versions per supported series:

trytond:
    6.6: >= 6.6.6
    6.4: >= 6.4.13
    6.0: >= 6.0.29

We encourage everyone to upgrade the trytond package to latest released version.

Reference

• Transaction cache override the current user (#12108) · Issues · Tryton / Tryton · GitLab

Concerns?

Any security concerns should be reported on the bug-tracker at [Issues · Tryton / Tryton · GitLab) marking them as confidential.

This topic was automatically closed after 30 days. New replies are no longer allowed.