Main Vulnerability Database SB2018041218

SB2018041218 - Command Injection in Python Tryton

Published: April 12, 2018 Updated: August 10, 2020

Security Bulletin ID SB2018041218

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Command Injection (CVE-ID: CVE-2014-6633)

The vulnerability allows a remote authenticated user to execute arbitrary code.

The safe_eval function in trytond in Tryton before 2.4.15, 2.6.x before 2.6.14, 2.8.x before 2.8.11, 3.0.x before 3.0.7, and 3.2.x before 3.2.3 allows remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the collection.domain in the webdav module or (2) the formula field in the price_list module.

Remediation

Install update from vendor's website.

References

http://www.tryton.org/posts/security-release-for-issue4155.html
https://bugs.tryton.org/issue4155