Tryton up to 5.0.5 modelstorage.py access control

Summaryinfo

A vulnerability was found in Tryton up to 4.2.20/4.4.18/4.6.13/4.8.9/5.0.5 and classified as critical. This issue affects some unknown processing of the file trytond/model/modelstorage.py. Executing a manipulation can lead to access control. This vulnerability is registered as CVE-2019-10868. It is possible to launch the attack remotely. No exploit is available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability has been found in Tryton up to 4.2.20/4.4.18/4.6.13/4.8.9/5.0.5 and classified as critical. This vulnerability affects an unknown code of the file trytond/model/modelstorage.py. The manipulation with an unknown input leads to a access control vulnerability. The CWE definition for the vulnerability is CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.

The bug was discovered 04/03/2019. The weakness was published 04/05/2019 by Cedric Krier as confirmed mailinglist post (Bugtraq). The advisory is shared for download at seclists.org. The public release has been coordinated with the vendor. This vulnerability was named CVE-2019-10868 since 04/04/2019. The attack can be initiated remotely. A single authentication is needed for exploitation. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1068.

The vulnerability was handled as a non-public zero-day exploit for at least 2 days. During that time the estimated underground price was around $0-$5k. The vulnerability scanner Nessus provides a plugin with the ID 255108 (Linux Distros Unpatched Vulnerability : CVE-2019-10868), which helps to determine the existence of the flaw in a target environment. The commercial vulnerability scanner Qualys is able to test this issue with plugin 176806 (Debian Security Update for tryton-server (DSA 4426-1)).

Upgrading to version 4.2.21, 4.4.19, 4.6.14, 4.8.10 or 5.0.6 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (255108). Once again VulDB remains the best source for vulnerability data.

Productinfo

Name

• Tryton

Version

• 4.2.0
• 4.2.1
• 4.2.2
• 4.2.3
• 4.2.4
• 4.2.5
• 4.2.6
• 4.2.7
• 4.2.8
• 4.2.9
• 4.2.10
• 4.2.11
• 4.2.12
• 4.2.13
• 4.2.14
• 4.2.15
• 4.2.16
• 4.2.17
• 4.2.18
• 4.2.19
• 4.2.20
• 4.4.0
• 4.4.1
• 4.4.2
• 4.4.3
• 4.4.4
• 4.4.5
• 4.4.6
• 4.4.7
• 4.4.8
• 4.4.9
• 4.4.10
• 4.4.11
• 4.4.12
• 4.4.13
• 4.4.14
• 4.4.15
• 4.4.16
• 4.4.17
• 4.4.18
• 4.6.0
• 4.6.1
• 4.6.2
• 4.6.3
• 4.6.4
• 4.6.5
• 4.6.6
• 4.6.7
• 4.6.8
• 4.6.9
• 4.6.10
• 4.6.11
• 4.6.12
• 4.6.13
• 4.8.0
• 4.8.1
• 4.8.2
• 4.8.3
• 4.8.4
• 4.8.5
• 4.8.6
• 4.8.7
• 4.8.8
• 4.8.9
• 5.0.0
• 5.0.1
• 5.0.2
• 5.0.3
• 5.0.4
• 5.0.5

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion