Tryton News: Security Release for issue #14220

Luis Falconhas found thattrytondmaylog sensitive data like passwordswhen the logging level is set toINFO.

Impact

CVSS v3.0 Base Score: 4.2

• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: High
• User Interaction: None
• Scope: Unchanged
• Confidentiality: High
• Integrity: None
• Availability: None

Workaround

Increasing the logging level aboveINFOprevents logging of the sensitive data.

Resolution

All affected users should upgradetrytondto the latest version.

Affected versions per series:

• trytond:
  • 7.6: <= 7.6.6
  • 7.4: <= 7.4.16
  • 7.0: <= 7.0.35

Non affected versions per series:

• trytond:
  • 7.6: >= 7.6.7
  • 7.4: >= 7.4.17
  • 7.0: >= 7.0.36

Reference

• https://bugs.tryton.org/14220

Concerns?

Any security concerns should be reported on the bug-tracker athttps://bugs.tryton.org/with the confidential checkbox checked.

1 post - 1 participant

Read full topic

https://discuss.tryton.org/t/security-release-for-issue-14220/8823