With issue7792 the client tries to make the connection to the bus in plain text instead of encrypted. The connection tentative fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle.
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality: Low
- Integrity: Low
- Availability: None
There are no known workarounds.
All affected users should upgrade
tryton to the latest version.
It is recommended that users change their password to clear all existing sessions (the password itself has not been compromised).
Only series 5.0 has the component subject to the issue.
Affected versions per series: =5.0.0
Non affected versions per series: >=5.0.1
Any security concerns should be reported on the bug-tracker at
https://bugs.tryton.org/ with the type