CVE-2018-19443
Severity Score
5.9
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle.
El cliente en Tryton, en versiones 5.x anteriores a la 5.0.1, intenta establecer una conexión con el bus en texto claro en vez de cifrado bajo ciertas circunstancias en bus.py y jsonrpc.py. El intento de conexión falla, pero contiene la sesión actual del usuario en la cabecera. Dicha sesión podría ser robada por un atacante Man-in-the-Middle (MitM).
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2018-11-22 CVE Reserved
- 2018-11-22 CVE Published
- 2023-03-07 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-384: Session Fixation
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://bugs.tryton.org/issue7792 | Issue Tracking |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://discuss.tryton.org/t/security-release-for-issue7792/830 | 2018-12-20 |