Security Release for issue7766

Synopsis

A vulnerability in trytond, the core package of Tryton, has been found by Cédric Krier.
The issue7766 shows that it is possible for an authenticated user to guess the value of a field for which he has no access right no matter if it is at the model or the field level. The procedure is to make dichotomous search queries on the model using a domain clause on the field equals value until the search returns the id.

Impact

CVSS v3.0 Base Score: 6.5

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality: High
  • Integrity: None
  • Availability: None

Workaround

There are no known workarounds.

Resolution

All affected users should upgrade trytond to the latest version.
Affected versions per series:

  • 5.0: <=5.0.0
  • 4.8: <=4.8.4
  • 4.6: <=4.6.8
  • 4.4: <=4.4.13
  • 4.2: <=4.2.15
  • 4.0: <=4.0.19

Non affected versions per series:

  • 5.0: >=5.0.1
  • 4.8: >=4.8.5
  • 4.6: >=4.6.9
  • 4.4: >=4.4.14
  • 4.2: >=4.2.16
  • 4.0: >=4.0.20

Reference

Concern?

Any security concerns should be reported on the bug-tracker at
https://bugs.tryton.org/ with the type security .

Remarks

The module stock_supply received a fix that break the policy of not XML data changes in series. This is to give read access to “Stock Administrator” group for purchase requests in order to run the supply wizard without error.