Bugzilla – Bug 1131707
VUL-1: CVE-2019-10868: tryton: an authenticated user can order records based on a field for which he has no access
Last modified: 2023-02-12 16:25:04 UTC
CVE-2019-10868 In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10868 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10868 https://hg.tryton.org/trytond/rev/f58bbfe0aefb https://discuss.tryton.org/t/security-release-for-issue8189/1262
TW --> 4.6.16 not affected LEAP 15/42.3 -->4.2.19 affected
(In reply to Alexandros Toptsoglou from comment #1) > TW --> 4.6.16 not affected TW *is* affected as well! will wai for gnuhealth-client (affected as well...) and update all together
This is an autogenerated message for OBS integration: This bug (1131707) was mentioned in https://build.opensuse.org/request/show/692918 Factory / tryton https://build.opensuse.org/request/show/692919 15.1 / tryton
This is an autogenerated message for OBS integration: This bug (1131707) was mentioned in https://build.opensuse.org/request/show/692948 42.3 / tryton https://build.opensuse.org/request/show/692949 15.0 / tryton
This is an autogenerated message for OBS integration: This bug (1131707) was mentioned in https://build.opensuse.org/request/show/694857 42.3 / tryton https://build.opensuse.org/request/show/694858 15.0 / tryton
This is an autogenerated message for OBS integration: This bug (1131707) was mentioned in https://build.opensuse.org/request/show/696161 Factory / gnuhealth-client https://build.opensuse.org/request/show/696162 15.1 / gnuhealth-client
This is an autogenerated message for OBS integration: This bug (1131707) was mentioned in https://build.opensuse.org/request/show/697279 15.0 / tryton https://build.opensuse.org/request/show/697280 42.3 / tryton
openSUSE-RU-2019:1335-1: An update that fixes one vulnerability is now available. Category: recommended (low) Bug References: 1131707 CVE References: CVE-2019-10868 Sources used: openSUSE Leap 15.0 (src): tryton-4.2.24-lp150.2.18.1
openSUSE-RU-2019:1334-1: An update that fixes one vulnerability is now available. Category: recommended (low) Bug References: 1131707 CVE References: CVE-2019-10868 Sources used: openSUSE Leap 42.3 (src): tryton-4.2.24-35.1
openSUSE-RU-2019:1340-1: An update that fixes one vulnerability is now available. Category: recommended (low) Bug References: 1131707 CVE References: CVE-2019-10868 Sources used: openSUSE Backports SLE-15 (src): tryton-4.2.24-bp150.2.14.1
This is automated batch bugzilla cleanup. The openSUSE 42.3 changed to end-of-life (EOL [1]) status. As such it is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of openSUSE (At this moment openSUSE Leap 15.1, 15.0 and Tumbleweed) please feel free to reopen this bug against that version (!you must update the "Version" component in the bug fields, do not just reopen please), or alternatively create a new ticket. Thank you for reporting this bug and we are sorry it could not be fixed during the lifetime of the release. [1] https://en.opensuse.org/Lifetime
was fixed
This is an autogenerated message for OBS integration: This bug (1131707) was mentioned in https://build.opensuse.org/request/show/1064690 Factory / gnuhealth-client