CVE-2012-0215
medium
CVSS v3
—
CVSS v2
5.5
VIR risk
5.5
Description
model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) write, (3) delete, or (4) copy rpc call.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2012-0215
Vendor advisory: security@debian.org — http://news.tryton.org/2012/03/security-releases-for-all-supported.html
Vendor advisory: security@debian.org — http://hg.tryton.org/trytond/rev/8e64d52ecea4
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 2.2.2-1 |
| debian | bullseye | fixed | 2.2.2-1 |
| debian | forky | fixed | 2.2.2-1 |
| debian | sid | fixed | 2.2.2-1 |
| debian | trixie | fixed | 2.2.2-1 |
References
- http://hg.tryton.org/trytond/rev/8e64d52ecea4
- http://news.tryton.org/2012/03/security-releases-for-all-supported.html
- http://www.debian.org/security/2012/dsa-2444
- https://bugs.tryton.org/issue2476
- https://nvd.nist.gov/vuln/detail/CVE-2012-0215
- https://github.com/tryton/trytond/commit/d059ebb792401ded3129cd9402d7392dc34b81e3
- https://github.com/pypa/advisory-database/tree/main/vulns/trytond/PYSEC-2012-6.yaml
- https://github.com/tryton/trytond
- https://web.archive.org/web/20121113201043/http://news.tryton.org/2012/03/security-releases-for-all-supported.html
- https://security-tracker.debian.org/tracker/CVE-2012-0215
CWEs
CWE-264
Verify integrity in audit chain (admin only). AS-IS.