Command Injection in Tryton - CVE-2014-6633
Published: April 12, 2018 / Updated: August 10, 2020
Vulnerability identifier: #VU41122
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2014-6633
CWE-ID: CWE-77
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Python.org
Affected software:
Tryton
Tryton
Detailed vulnerability description
The vulnerability allows a remote authenticated user to execute arbitrary code.
The safe_eval function in trytond in Tryton before 2.4.15, 2.6.x before 2.6.14, 2.8.x before 2.8.11, 3.0.x before 3.0.7, and 3.2.x before 3.2.3 allows remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the collection.domain in the webdav module or (2) the formula field in the price_list module.
How to mitigate CVE-2014-6633
Install update from vendor's website.