Description
The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://discuss.tryton.org/t/security-release-for-issue7792/830
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugs.tryton.org/issue7792
Scores
CVSS v3
5.9
EPSS
0.0086
EPSS Percentile
53.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-384
Status
published
Products (2)
pypi/tryton
5.0.0 - 5.0.1PyPI
tryton/tryton
5.0.0
Published
Nov 22, 2018
Tracked Since
Feb 18, 2026