CVE-2018-19443 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2018-19443 Interim 1 15 2025-02-17T02:32:40Z current 2021-05-30T14:18:45Z 2025-02-17T02:32:40Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2018-19443 The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/JQBYNXUDCBNY2HF4KADQQYFYI5W6DXW3/#JQBYNXUDCBNY2HF4KADQQYFYI5W6DXW3 E-Mail link for openSUSE-SU-2018:4242-1 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VE7XOCQSKFQT7F3HEPVXET23EYKOQRV3/#VE7XOCQSKFQT7F3HEPVXET23EYKOQRV3 E-Mail link for openSUSE-SU-2018:4248-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Package Hub 15 openSUSE Leap 15.0 tryton-4.2.19-bp150.2.6.1 tryton-4.2.19-lp150.2.10.1 trytond-4.2.17-bp150.2.6.1 trytond-4.2.17-lp150.2.15.1 trytond_account-4.2.10-bp150.3.3.1 trytond_account-4.2.10-lp150.2.3.1 trytond_account_invoice-4.2.7-bp150.3.3.1 trytond_account_invoice-4.2.7-lp150.2.3.1 trytond_purchase_request-4.2.4-bp150.3.3.1 trytond_purchase_request-4.2.4-lp150.2.3.1 trytond_stock-4.2.8-bp150.3.3.1 trytond_stock-4.2.8-lp150.2.3.1 trytond_stock_supply-4.2.3-bp150.3.6.1 trytond_stock_supply-4.2.3-lp150.2.7.1 tryton-4.2.19-bp150.2.6.1 as a component of SUSE Package Hub 15 trytond-4.2.17-bp150.2.6.1 as a component of SUSE Package Hub 15 trytond_account-4.2.10-bp150.3.3.1 as a component of SUSE Package Hub 15 trytond_account_invoice-4.2.7-bp150.3.3.1 as a component of SUSE Package Hub 15 trytond_purchase_request-4.2.4-bp150.3.3.1 as a component of SUSE Package Hub 15 trytond_stock-4.2.8-bp150.3.3.1 as a component of SUSE Package Hub 15 trytond_stock_supply-4.2.3-bp150.3.6.1 as a component of SUSE Package Hub 15 tryton-4.2.19-lp150.2.10.1 as a component of openSUSE Leap 15.0 trytond-4.2.17-lp150.2.15.1 as a component of openSUSE Leap 15.0 trytond_account-4.2.10-lp150.2.3.1 as a component of openSUSE Leap 15.0 trytond_account_invoice-4.2.7-lp150.2.3.1 as a component of openSUSE Leap 15.0 trytond_purchase_request-4.2.4-lp150.2.3.1 as a component of openSUSE Leap 15.0 trytond_stock-4.2.8-lp150.2.3.1 as a component of openSUSE Leap 15.0 trytond_stock_supply-4.2.3-lp150.2.7.1 as a component of openSUSE Leap 15.0 The client in Tryton 5.x before 5.0.1 tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py and jsonrpc.py. This connection attempt fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle. CVE-2018-19443 SUSE Package Hub 15:tryton-4.2.19-bp150.2.6.1 SUSE Package Hub 15:trytond-4.2.17-bp150.2.6.1 SUSE Package Hub 15:trytond_account-4.2.10-bp150.3.3.1 SUSE Package Hub 15:trytond_account_invoice-4.2.7-bp150.3.3.1 SUSE Package Hub 15:trytond_purchase_request-4.2.4-bp150.3.3.1 SUSE Package Hub 15:trytond_stock-4.2.8-bp150.3.3.1 SUSE Package Hub 15:trytond_stock_supply-4.2.3-bp150.3.6.1 openSUSE Leap 15.0:tryton-4.2.19-lp150.2.10.1 openSUSE Leap 15.0:trytond-4.2.17-lp150.2.15.1 openSUSE Leap 15.0:trytond_account-4.2.10-lp150.2.3.1 openSUSE Leap 15.0:trytond_account_invoice-4.2.7-lp150.2.3.1 openSUSE Leap 15.0:trytond_purchase_request-4.2.4-lp150.2.3.1 openSUSE Leap 15.0:trytond_stock-4.2.8-lp150.2.3.1 openSUSE Leap 15.0:trytond_stock_supply-4.2.3-lp150.2.7.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N