Lucene search

K

GitHub Advisory DatabaseGHSA-CQG4-RF29-3MV6

HistoryMay 04, 2022 - 12:28 a.m.

Trytond allows modification of privileges of arbitrary users

2022-05-0400:28:50

CWE-287

GitHub Advisory Database

github.com

5

6.9 Medium

AI Score

Confidence

Low

5.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:P/A:P

0.003 Low

EPSS

Percentile

71.2%

model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) write, (3) delete, or (4) copy rpc call.

CPENameOperatorVersion
trytondlt2.4.0

References

hg.tryton.org/trytond/rev/8e64d52ecea4

www.debian.org/security/2012/dsa-2444

bugs.tryton.org/issue2476

github.com/advisories/GHSA-cqg4-rf29-3mv6

github.com/tryton/trytond/commit/d059ebb792401ded3129cd9402d7392dc34b81e3

nvd.nist.gov/vuln/detail/CVE-2012-0215

web.archive.org/web/20121113201043/news.tryton.org/2012/03/security-releases-for-all-supported.html

6.9 Medium

AI Score

Confidence

Low

5.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:P/A:P

0.003 Low

EPSS

Percentile

71.2%

Related for GHSA-CQG4-RF29-3MV6

osv2 openvas8 nessus4 ubuntucve1 fedora3 prion1 securityvulns2 debiancve1 seebug1 debian1 cve1