Lucene search

[email protected]CVE-2019-10868

HistoryApr 05, 2019 - 1:29 a.m.

CVE-2019-10868

2019-04-0501:29:00

CWE-862

[email protected]

web.nvd.nist.gov

cve

tryton

modelstorage.py

authenticated user

access right

security vulnerability

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

6.1 Medium

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

72.1%

JSON

In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.

Affected configurations

NVD

Node

trytontrytondRange4.2.0–4.2.21

trytontrytondRange4.4.0–4.4.19

trytontrytondRange4.6.0–4.6.14

trytontrytondRange4.8.0–4.8.10

trytontrytondRange5.0.0–5.0.6

Node

debiandebian_linuxMatch9.0

CPENameOperatorVersion
tryton:trytondtryton trytondlt4.2.21
tryton:trytondtryton trytondlt4.4.19
tryton:trytondtryton trytondlt4.6.14
tryton:trytondtryton trytondlt4.8.10
tryton:trytondtryton trytondlt5.0.6

CPE	Name	Operator	Version
tryton:trytond	tryton trytond	lt	4.2.21
tryton:trytond	tryton trytond	lt	4.4.19
tryton:trytond	tryton trytond	lt	4.6.14
tryton:trytond	tryton trytond	lt	4.8.10
tryton:trytond	tryton trytond	lt	5.0.6