Bug 1016886 - (CVE-2016-1242) VUL-0: CVE-2016-1242: tryton,trytond: admin user able to access all files on system
(CVE-2016-1242)
VUL-0: CVE-2016-1242: tryton,trytond: admin user able to access all files on ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 42.2
: P3 - Medium : Minor
: ---
Assigned To: Axel Braun
Security Team bot
https://smash.suse.de/issue/172245/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-12-22 08:37 UTC by Andreas Stieger
Modified: 2017-01-15 18:55 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-12-22 08:37:07 UTC
file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12,
3.8.x before 3.8.8, and 4.x before 4.0.4 allow remote authenticated users with
certain permissions to read arbitrary files via the name parameter or
unspecified other vectors.

https://build.opensuse.org/request/show/447339
https://build.opensuse.org/request/show/447340

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1374220
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1242
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1242.html
http://www.debian.org/security/2016/dsa-3656
https://bugs.tryton.org/issue5808
Comment 1 Swamp Workflow Management 2016-12-22 23:00:28 UTC
bugbot adjusting priority
Comment 2 Swamp Workflow Management 2017-01-02 16:08:01 UTC
openSUSE-SU-2017:0009-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1016817,1016885,1016886
CVE References: CVE-2016-1241,CVE-2016-1242
Sources used:
openSUSE Leap 42.2 (src):    gnuhealth-3.0.5-3.1, proteus-3.8.5-3.1, tryton-3.8.12-3.1, trytond-3.8.9-4.1, trytond_account-3.8.5-3.1, trytond_account_invoice-3.8.4-3.1, trytond_stock-3.8.4-3.1, trytond_stock_lot-3.8.1-3.1
Comment 3 Axel Braun 2017-01-15 18:55:56 UTC
Update in Leap:42.2:Updates