CVE-2014-6633
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
The safe_eval function in trytond in Tryton before 2.4.15, 2.6.x before 2.6.14, 2.8.x before 2.8.11, 3.0.x before 3.0.7, and 3.2.x before 3.2.3 allows remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the collection.domain in the webdav module or (2) the formula field in the price_list module.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2014-6633
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 3.2.3-1 |
| debian | bullseye | fixed | 3.2.3-1 |
| debian | forky | fixed | 3.2.3-1 |
| debian | sid | fixed | 3.2.3-1 |
| debian | trixie | fixed | 3.2.3-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | tryton | <2.4.15 | 2.4.15 |
| PyPI | tryton | >=2.6.0,<2.6.14 | 2.6.14 |
| PyPI | tryton | >=2.8.0,<2.8.11 | 2.8.11 |
| PyPI | tryton | >=3.2.0,<3.2.3 | 3.2.3 |
| PyPI | trytond | >=2.4.0,<2.4.15 | 2.4.15 |
| PyPI | trytond | >=2.6.0,<2.6.14 | 2.6.14 |
| PyPI | trytond | >=2.8.0,<2.8.11 | 2.8.11 |
| PyPI | trytond | >=3.2.0,<3.2.3 | 3.2.3 |
| PyPI | trytond | >=3.0.0,<3.0.7 | 3.0.7 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2014-6633
- https://github.com/tryton/trytond/commit/19fc2a01357b7638041953326e404f51d96fad06
- https://github.com/tryton/trytond/commit/3e4c2b7e8c7b3358597a0d484fa98f45483ee92a
- https://bugs.tryton.org/issue4155
- https://github.com/pypa/advisory-database/tree/main/vulns/trytond/PYSEC-2018-59.yaml
- https://github.com/tryton/trytond
- http://www.tryton.org/posts/security-release-for-issue4155.html
- https://security-tracker.debian.org/tracker/CVE-2014-6633
Verify integrity in audit chain (admin only). AS-IS.