CVE-2017-0360 — Improper Privilege Management in Trytond

CWE-269 — Improper Privilege Management9 documents6 sources

Severity

5.3MEDIUMNVD

GHSA4.4OSV4.4

EPSS

0.3%

top 45.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tryton Trytond Debian Tryton-server Tryton

Timeline

PublishedApr 4

Latest updateMay 13

Description

file_open in Tryton 3.x and 4.x through 4.2.2 allows remote authenticated users with certain permissions to read arbitrary files via a "same root name but with a suffix" attack. NOTE: This vulnerability exists because of an incomplete fix for CVE-2016-1242.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages3 packages

▶PyPItryton/trytond4.2.0 — 4.2.3+6

▶debiandebian/tryton-server< tryton-server 4.2.1-2 (bookworm)

▶NVDtryton/tryton99 versions+98

🔴Vulnerability Details

OSV

Tryton Information Disclosure Vulnerability↗2022-05-13

▶

GHSA

Tryton Information Disclosure Vulnerability↗2022-05-13

▶

OSV

CVE-2017-0360: file_open in Tryton 3↗2017-04-04

▶

📋Vendor Advisories

Debian

CVE-2017-0360: tryton-server - file_open in Tryton 3.x and 4.x through 4.2.2 allows remote authenticated users ...↗2017

▶

🕵️Threat Intelligence

Wiz

CVE-2020-37014 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2017-0360 tryton: file_open does not sanitize all cases [epel-6]↗2017-04-05

▶

Bugzilla

CVE-2017-0360 tryton: file_open does not sanitize all cases [fedora-all]↗2017-04-05

▶

Bugzilla

CVE-2017-0360 tryton: file_open does not sanitize all cases↗2017-04-05

▶