Vulnerability CVE-2018-19443


Published: 2018-11-22

Description:
The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle.

Type:

CWE-384

(Session Fixation)

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Tryton -> Tryton 

 References:
https://bugs.tryton.org/issue7792
https://discuss.tryton.org/t/security-release-for-issue7792/830

Copyright 2024, cxsecurity.com

 

Back to Top