Multiple vulnerabilities in Python Tryton
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2016-1242 CVE-2016-1241 |
| CWE-ID | CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Tryton Client/Desktop applications / Other client software |
| Vendor | Python.org |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU40129
Risk: Low
CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-1242
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote privileged user to gain access to sensitive information.
file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allows remote authenticated users with certain permissions to read arbitrary files via the name parameter or unspecified other vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsTryton: 3.2.0 - 4.0.3
CPE2.3- cpe:2.3:a:python_org:tryton:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:python_org:tryton:3.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:python_org:tryton:3.4.1:*:*:*:*:*:*:*
https://www.debian.org/security/2016/dsa-3656
https://www.tryton.org/posts/security-release-for-issue5795-and-issue5808.html
https://bugs.tryton.org/issue5808
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU40130
Risk: Medium
CVSSv4.0: 2.3 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2016-1241
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to gain access to sensitive information.
Tryton 3.x before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allow remote authenticated users to discover user password hashes via unspecified vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsTryton: 3.2.0 - 4.0.3
CPE2.3- cpe:2.3:a:python_org:tryton:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:python_org:tryton:3.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:python_org:tryton:3.4.1:*:*:*:*:*:*:*
https://www.debian.org/security/2016/dsa-3656
https://www.tryton.org/posts/security-release-for-issue5795-and-issue5808.html
https://bugs.tryton.org/issue5795
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
