Synopsis
Two vulnerabilities in trytond have been found by Cédric Krier.
The CVE-2016-1241 allows an authenticated user to read the hashed password of other users. The exploitation is not easy thanks to the existing protection of Tryton against such leak. Those protections are usage of strong hash method (bcrypt or sha1) and the salt of the password with random data (protection against rainbow tables).
The CVE-2016-1242 allows an authenticated user with write access to report or icon definition to make the server opens any readable file. By default, only the administrator group has such right access.
Impact
CVE-2016-1241:
CVE-2016-1242:
Workaround
There is no workaround for CVE-2016-1241.
For CVE-2016-1242, the modification rights could be removed to all users for the report and icon records.
Resolution
All users should upgrade trytond to the latest version.
It is recommended that every user changes his password.
Affected versions per series: <=3.2.16, <=3.4.13, <=3.6.11, <=3.8.7 and <=4.0.3
Non affected versions per series: >=3.2.17, >=3.4.14, >= 3.6.12, >=3.8.8 and >=4.0.4
References
- issue5795 https://bugs.tryton.org/issue5795
- CVE-2016-1241 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1241
- issue5808 https://bugs.tryton.org/issue5808
- CVE-2016-1242 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1242
Concern?
Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security.