CVE-2018-19443: Man-in-the-Middle
(updated )
The client in Tryton tries to make a connection to the bus in cleartext instead of encrypted under certain circumstances in bus.py
and jsonrpc.py
. This connection attempt fails, but it contains in the header the current session of the user. This session could then be stolen by a man-in-the-middle.
References
Detect and mitigate CVE-2018-19443 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →