PYSEC-2018-77

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/tryton/PYSEC-2018-77.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2018-77

Aliases

CVE-2018-19443
GHSA-32w7-9whp-cjp9

Published

2018-11-22T19:29:00Z

Modified

2023-11-08T04:00:08.062577Z

Summary

[none]

Details

The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle.

References

https://discuss.tryton.org/t/security-release-for-issue7792/830
https://bugs.tryton.org/issue7792
https://github.com/advisories/GHSA-32w7-9whp-cjp9

Affected packages

PyPI / tryton

Package

Name: tryton; View open source insights on deps.dev
Purl: pkg:pypi/tryton

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.1

Affected versions

5.*

5.0.0