CVE-2018-19443

NameCVE-2018-19443
DescriptionThe client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tryton-client (PTS)stretch4.2.1-1fixed
buster5.0.5-1fixed
bullseye, sid5.0.27-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tryton-clientsource(unstable)(not affected)

Notes

- tryton-client <not-affected> (Only affects 5.x, vulnerable 5.0.0 version never in Debian)
https://discuss.tryton.org/t/security-release-for-issue7792/830
https://bugs.tryton.org/issue7792

Search for package or bug name: Reporting problems