CVE-2016-1242: Tryton allow authenticated users with certain permissions to read arbitrary files via the name parameter

May 17, 2022 (updated November 22, 2024)

file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allows remote authenticated users with certain permissions to read arbitrary files via the name parameter or unspecified other vectors.

References

bugs.tryton.org/issue5808
github.com/advisories/GHSA-jpr7-8rxm-4vgx
github.com/pypa/advisory-database/tree/main/vulns/tryton/PYSEC-2016-41.yaml
github.com/pypa/advisory-database/tree/main/vulns/trytond/PYSEC-2016-13.yaml
github.com/tryton/trytond
nvd.nist.gov/vuln/detail/CVE-2016-1242

Code Behaviors & Features

Detect and mitigate CVE-2016-1242 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →