Tryton Improper Access Control · CVE-2019-10868 · GitHub Advisory Database · GitHub

Tryton Improper Access Control

Moderate severity GitHub Reviewed Published Apr 10, 2019 to the GitHub Advisory Database • Updated Sep 5, 2023

Package

trytond (pip)

Affected versions

>= 4.2.0, < 4.2.21

>= 4.4.0, < 4.4.19

>= 4.6.0, < 4.6.14

>= 4.8.0, < 4.8.10

>= 5.0.0, < 5.0.6

Patched versions

4.2.21

4.4.19

4.6.14

4.8.10

5.0.6

Description

In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.

References

Published to the GitHub Advisory Database Apr 10, 2019

Reviewed Jun 16, 2020

Last updated Sep 5, 2023

Severity

Moderate

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N