CVE-2012-0215: Trytond allows modification of privileges of arbitrary users
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.68993%
CWE
Published
5/4/2022
Updated
11/18/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
trytond | pip | < 2.4.0 | 2.4.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the fact that ModelStorage classes (including relation models for Many2Many fields) had RPC methods enabled by default in their init method, without requiring the class to inherit from ModelView. The patch explicitly gates RPC method availability on the presence of ModelView inheritance. This means the root cause was the unconditional assignment of RPC permissions in ModelStorage.init, which directly exposed the create/write/delete/copy RPC methods on unintended models.