"Mahdi Afshar and Abdulfatah Abdillahi have found that trytond sends the trace-back to the clients for unexpected errors. This trace-back may leak information about the server setup. Impact CVSS v3.0 Base Score: 4.3 Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None Workaround A possible workaround is to configure an error handler which would remove the trace-back from the response. Resolution All affected users should upgrade trytond to the latest version."
"Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None Workaround A possible workaround is to configure an error handler which would remove the trace-back from the response. Resolution All affected users should upgrade trytond to the latest version. Affected versions per series: Non affected versions per series: Reference Concerns? Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the confidential checkbox checked."
trytond returns full trace-back information to clients when unexpected errors occur, which can reveal details about server setup. The issue has a CVSS v3.0 base score of 4.3, with network attack vector, low complexity, and low privileges required. Confidentiality impact is classified as low; integrity and availability are unaffected. A practical workaround is to configure an error handler that strips trace-back data from responses. The definitive resolution is to upgrade trytond to the latest version. Security concerns should be reported on the project bug-tracker with the confidential checkbox enabled.
Read at Tryton Discussion
Unable to calculate read time
Collection
[
|
...
]