Security Release for issue7792


(Cédric Krier) #1

Synopsis

A vulnerability in tryton has been found by Cédric Krier.

With issue7792 the client tries to make the connection to the bus in plain text instead of encrypted. The connection tentative fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle.

Impact

CVSS v3.0 Base Score: 4.2

  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality: Low
  • Integrity: Low
  • Availability: None

Workaround

There are no known workarounds.

Resolution

All affected users should upgrade tryton to the latest version.
It is recommended that users change their password to clear all existing sessions (the password itself has not been compromised).
Only series 5.0 has the component subject to the issue.
Affected versions per series: =5.0.0
Non affected versions per series: >=5.0.1

Reference

Concern?

Any security concerns should be reported on the bug-tracker at
https://bugs.tryton.org/ with the type security.