The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle.
References
Link | Resource |
---|---|
https://bugs.tryton.org/issue7792 | Issue Tracking Third Party Advisory |
https://discuss.tryton.org/t/security-release-for-issue7792/830 | Vendor Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2018-11-22T19:00:00
Updated: 2018-11-22T19:57:01
Reserved: 2018-11-22T00:00:00
Link: CVE-2018-19443
JSON object: View
NVD Information
Status : Analyzed
Published: 2018-11-22T19:29:00.220
Modified: 2018-12-20T01:25:25.837
Link: CVE-2018-19443
JSON object: View
Redhat Information
No data.
CWE