GHSA-32w7-9whp-cjp9
Suggest an improvement- Source
- https://github.com/advisories/GHSA-32w7-9whp-cjp9
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/11/GHSA-32w7-9whp-cjp9/GHSA-32w7-9whp-cjp9.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-32w7-9whp-cjp9
- Aliases
-
- CVE-2018-19443
- PYSEC-2018-77
- Published
- 2018-11-29T21:30:56Z
- Modified
- 2024-11-13T22:54:09Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Session Fixation in Tryton
- Details
-
The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-384" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-06-16T20:53:42Z" }- References
Affected packages
PyPI / tryton
Package
- Name
- tryton
- View open source insights on deps.dev
- Purl
- pkg:pypi/tryton