Man-in-the-Middle (MitM)

Affecting tryton package, versions [5.0.0, 5.0.1)

Overview

tryton is a three-tiers high-level general purpose application platform written in Python and use Postgresql as database engine.

Affected versions of this package are vulnerable to Man in the middle attack. The client tried to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt failed, but it contained in the header the current session of the user. This session could then be stolen by a man-in-the-middle.

Remediation

Upgrade tryton to version 5.0.1 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

4.2
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Credit
Cedric Krier
CVE
CVE-2018-19443
CWE
CWE-300
Snyk ID
SNYK-PYTHON-TRYTON-72631
Disclosed
22 Nov, 2018
Published
28 Nov, 2018