CVE-2014-6633 — Command Injection in Tryton

CWE-77 — Command Injection6 documents5 sources

Severity

8.8HIGHNVD

EPSS

1.0%

top 22.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tryton Tryton Trytond Debian Tryton-server

Timeline

PublishedApr 12

Latest updateMay 14

Description

The safe_eval function in trytond in Tryton before 2.4.15, 2.6.x before 2.6.14, 2.8.x before 2.8.11, 3.0.x before 3.0.7, and 3.2.x before 3.2.3 allows remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the collection.domain in the webdav module or (2) the formula field in the price_list module.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶PyPItryton/trytond2.4.0 — 2.4.15+4

▶NVDtryton/tryton2.4.0 — 2.4.15+4

▶PyPItryton/tryton2.6.0 — 2.6.14+3

▶debiandebian/tryton-server< tryton-server 3.2.3-1 (bookworm)

🔴Vulnerability Details

OSV

Tryton vulnerable to arbitrary command execution↗2022-05-14

▶

GHSA

Tryton vulnerable to arbitrary command execution↗2022-05-14

▶

OSV

CVE-2014-6633: The safe_eval function in trytond in Tryton before 2↗2018-04-12

▶

📋Vendor Advisories

Debian

CVE-2014-6633: tryton-server - The safe_eval function in trytond in Tryton before 2.4.15, 2.6.x before 2.6.14, ...↗2014

▶

🕵️Threat Intelligence

Wiz

CVE-2020-37014 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶