CVE-2014-6633: Tryton allows authenticated users to run unauthorized system commands

Summary

Tryton, a business management software, has a security issue that allows some users to run unauthorized commands on the system. This could lead to data loss or system compromise. To fix this, update your Tryton installation to the latest version, especially if you're using version 2.4 or earlier, 2.6, 2.8, 3.0, or 3.2.

What to do

Update tryton to version 2.4.15.
Update tryton to version 2.6.14.
Update tryton to version 2.8.11.
Update tryton to version 3.2.3.
Update trytond to version 2.4.15.
Update trytond to version 2.6.14.
Update trytond to version 2.8.11.
Update trytond to version 3.2.3.
Update trytond to version 3.0.7.

Affected software

Ecosystem	Vendor	Product	Affected versions
pip	–	tryton	< 2.4.15 >= 2.6.0, < 2.6.14 >= 2.8.0, < 2.8.11 >= 3.2.0, < 3.2.3 Fix: upgrade to 2.4.15
pip	–	trytond	>= 2.4.0, < 2.4.15 >= 2.6.0, < 2.6.14 >= 2.8.0, < 2.8.11 >= 3.2.0, < 3.2.3 >= 3.0.0, < 3.0.7 Fix: upgrade to 2.4.15
–	tryton	tryton	>= 2.4.0, < 2.4.15 >= 2.6.0, < 2.6.14 >= 2.8.0, < 2.8.11 >= 3.0.0, < 3.0.7 >= 3.2.0, < 3.2.3 `cpe:2.3:a:tryton:tryton::::::::`

Original title

The safe_eval function in trytond in Tryton before 2.4.15, 2.6.x before 2.6.14, 2.8.x before 2.8.11, 3.0.x before 3.0.7, and 3.2.x before 3.2.3 allows remote authenticated users to execute arbitrar...

Original description

The safe_eval function in trytond in Tryton before 2.4.15, 2.6.x before 2.6.14, 2.8.x before 2.8.11, 3.0.x before 3.0.7, and 3.2.x before 3.2.3 allows remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the collection.domain in the webdav module or (2) the formula field in the price_list module.

ghsa CVSS3.1 8.8

ghsa CVSS4.0 8.7

Vulnerability type

CWE-77 Command Injection