Miggo Logo

CVE-2012-0215: Trytond allows modification of privileges of arbitrary users

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.68993%
Published
5/4/2022
Updated
11/18/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
trytondpip< 2.4.02.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the fact that ModelStorage classes (including relation models for Many2Many fields) had RPC methods enabled by default in their init method, without requiring the class to inherit from ModelView. The patch explicitly gates RPC method availability on the presence of ModelView inheritance. This means the root cause was the unconditional assignment of RPC permissions in ModelStorage.init, which directly exposed the create/write/delete/copy RPC methods on unintended models.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

`mo**l/mo**lstor***.py` in t** Tryton *ppli**tion *r*m*work (tryton*) ***or* *.*.* *or Pyt*on *o*s not prop*rly r*stri*t ****ss to t** M*ny*M*ny *i*l* in t** r*l*tion mo**l, w*i** *llows r*mot* *ut**nti**t** us*rs to mo*i*y t** privil***s o* *r*itr*r

Reasoning

T** vuln*r**ility st*ms *rom t** ***t t**t Mo**lStor*** *l*ss*s (in*lu*in* r*l*tion mo**ls *or M*ny*M*ny *i*l*s) *** RP* m*t*o*s *n**l** *y ****ult in t**ir __init__ m*t*o*, wit*out r*quirin* t** *l*ss to in**rit *rom Mo**lVi*w. T** p*t** *xpli*itly