Miggo Logo

CVE-2016-1241: Tryton allows users to read the hashed password

5.3

CVSS Score
3.0

Basic Information

EPSS Score
0.47328%
Published
5/17/2022
Updated
11/22/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
trytondpip>= 3.0.0, < 3.2.173.2.17
trytondpip>= 3.4.0, < 3.4.143.4.14
trytondpip>= 3.8.0, < 3.8.83.8.8
trytondpip>= 3.6.0, < 3.6.123.6.12
trytondpip>= 4.0.0, < 4.0.44.0.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The key evidence comes from the patched commit 30d2a6d which adds a read() method override in the User class that explicitly nullifies the 'password_hash' field in read operations. The accompanying test (test_read_password_hash in test_user.py) demonstrates that prior to this fix, the password_hash field was readable. The vulnerability stems from the absence of this sanitization logic in the original User.read() implementation, allowing exposure of password hashes to authenticated users.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Tryton *.x ***or* *.*.**, *.*.x ***or* *.*.**, *.*.x ***or* *.*.**, *.*.x ***or* *.*.*, *n* *.x ***or* *.*.* *llow r*mot* *ut**nti**t** us*rs to *is*ov*r us*r p*sswor* **s**s vi* unsp**i*i** v**tors.

Reasoning

T** k*y *vi**n** *om*s *rom t** p*t**** *ommit ******* w*i** ***s * r***() m*t*o* ov*rri** in t** Us*r *l*ss t**t *xpli*itly nulli*i*s t** 'p*sswor*_**s*' *i*l* in r*** op*r*tions. T** ***omp*nyin* t*st (t*st_r***_p*sswor*_**s* in t*st_us*r.py) **mon