PT-2018-14964 · Tryton+1 · Tryton+1

Cédric Krier

Publicado

2018-11-22

Atualizado

2018-12-22

CVE-2018-19443

CVSS v4.0

8.2

Alta

Vetor

AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Tryton versions 5.0.0

Description The issue arises when the client attempts to establish a connection to the bus in cleartext instead of using encryption under specific circumstances, as seen in bus.py and jsonrpc.py. Although the connection attempt fails, it includes the current user session in the header, making it susceptible to session theft by a man-in-the-middle.

Recommendations For Tryton version 5.0.0, update to version 5.0.1 to resolve the issue.

Correção

Session Fixation

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-384

Identificadores relacionados

CVE-2018-19443

GHSA-32W7-9WHP-CJP9

OPENSUSE-SU-2018_4242-1

OPENSUSE-SU-2018_4248-1

PYSEC-2018-77

Produtos afetados

Suse

Tryton

PT-2018-14964 · Tryton+1 · Tryton+1

CVE-2018-19443

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 11