CVE-2012-0215 — Improper Authentication in Trytond

CWE-264 CWE-287 — Improper Authentication5 documents4 sources

Severity

5.5MEDIUMNVD

EPSS

0.6%

top 30.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tryton Trytond Debian Tryton-server

Timeline

PublishedJul 12

Latest updateMay 4

Description

model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) write, (3) delete, or (4) copy rpc call.

CVSS vector

AV:N/AC:L/C:N/I:P/A:PExploitability: 8.0 | Impact: 4.9

Affected Packages3 packages

▶PyPItryton/trytond< 2.4.0

▶NVDtryton/trytond2.2.3+4

▶debiandebian/tryton-server< tryton-server 2.2.2-1 (bookworm)

Patches

Patch: hg.tryton.org ↗Patch: hg.tryton.org ↗

🔴Vulnerability Details

GHSA

Trytond allows modification of privileges of arbitrary users↗2022-05-04

▶

OSV

Trytond allows modification of privileges of arbitrary users↗2022-05-04

▶

OSV

CVE-2012-0215: model/modelstorage↗2012-07-12

▶

📋Vendor Advisories

Debian

CVE-2012-0215: tryton-server - model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0...↗2012

▶