CVE-2014-6633

Description

The safe_eval function in trytond in Tryton before 2.4.15, 2.6.x before 2.6.14, 2.8.x before 2.8.11, 3.0.x before 3.0.7, and 3.2.x before 3.2.3 allows remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the collection.domain in the webdav module or (2) the formula field in the price_list module.

How to fix CVE-2014-6633

To remediate CVE-2014-6633, upgrade the affected package to a fixed version below.

• —upgrade to 3.2.3-1 or later
• —upgrade to 1.6.1-2+squeeze2 or later
• —upgrade to 2.2.4-1+deb7u2 or later
• —upgrade to 2.4.15 or later
• —upgrade to 2.4.15 or later
• —upgrade to 2.4.15 or later

Is CVE-2014-6633 being exploited?

Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.

Affected packages (6)

• from 0, < 3.2.3-1
• from 0, < 1.6.1-2+squeeze2
• from 0, < 2.2.4-1+deb7u2
• from 0, < 2.4.15
• >= 2.4.0, < 2.4.15
• >= 2.4.0, < 2.4.15, >= 2.6.0, < 2.6.14, >= 2.8.0, < 2.8.11, >= 3.2.0, < 3.2.3, >= 3.0.0, < 3.0.7

CVSS scores

References (9)

• ADVISORYgithub.com/advisories/GHSA-m9jj-5qvj-5fhx
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-6633
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-6633
• PATCHgithub.com/tryton/trytond
• WEBbugs.tryton.org