Synopsis
A vulnerability in trytond, the core package of Tryton, has been found by Cédric Krier.
The issue7766 shows that it is possible for an authenticated user to guess the value of a field for which he has no access right no matter if it is at the model or the field level. The procedure is to make dichotomous search queries on the model using a domain clause on the field equals value until the search returns the id.
Impact
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality: High
- Integrity: None
- Availability: None
Workaround
There are no known workarounds.
Resolution
All affected users should upgrade trytond
to the latest version.
Affected versions per series:
- 5.0: <=5.0.0
- 4.8: <=4.8.4
- 4.6: <=4.6.8
- 4.4: <=4.4.13
- 4.2: <=4.2.15
- 4.0: <=4.0.19
Non affected versions per series:
- 5.0: >=5.0.1
- 4.8: >=4.8.5
- 4.6: >=4.6.9
- 4.4: >=4.4.14
- 4.2: >=4.2.16
- 4.0: >=4.0.20
Reference
Concern?
Any security concerns should be reported on the bug-tracker at
https://bugs.tryton.org/ with the type security
.
Remarks
The module stock_supply
received a fix that break the policy of not XML data changes in series. This is to give read access to “Stock Administrator” group for purchase requests in order to run the supply wizard without error.