Security Release for issue8189


(Cédric Krier) #1

Synopsis

A vulnerability in tryton has been found by Cédric Krier.

With issue8189, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.

Impact

CVSS v3.0 Base Score: 4.3

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality: Low
  • Integrity: None
  • Availability: None

Workaround

There are no known workarounds.

Resolution

All affected users should upgrade trytond to the latest version.
Affected versions per series:

  • 5.0: <=5.0.5
  • 4.8: <=4.8.9
  • 4.6: <=4.6.13
  • 4.4: <=4.4.18
  • 4.2: <=4.2.20

Non affected versions per series:

  • 5.0: >=5.0.6
  • 4.8: >=4.8.10
  • 4.6: >=4.6.14
  • 4.4: >=4.4.19
  • 4.2: >=4.2.21

Reference

Concern?

Any security concerns should be reported on the bug-tracker at
https://bugs.tryton.org/ with the type security .


(Mathias Behrle) #2

CVE-2019-10868 was assigned by the Debian project to this issue. Please include this identifier whenever you refer to this issue.