CVE-2018-19443
Session Fixation in Tryton
5.9
MEDIUM
CVSS 3.1
EPSS 0.19%
Description
The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle.
How to fix CVE-2018-19443
To remediate CVE-2018-19443, upgrade the affected package to a fixed version below.
- —upgrade to 5.0.1 or later
- —upgrade to 5.0.1 or later
Is CVE-2018-19443 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 5.0.0, < 5.0.1
- >= 5.0.0, < 5.0.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |