High severityNVD Advisory· Published Jul 12, 2012· Updated Apr 29, 2026

CVE-2012-0215

Description

model/modelstorage.py in the Tryton application framework (trytond) before 2.4.0 for Python does not properly restrict access to the Many2Many field in the relation model, which allows remote authenticated users to modify the privileges of arbitrary users via a (1) create, (2) write, (3) delete, or (4) copy rpc call.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
trytondPyPI	< 2.4.0	2.4.0

Affected products

Tryton/Trytond5 versions
cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:tryton:trytond:*:*:*:*:*:*:*:*range: <=2.2.3
- cpe:2.3:a:tryton:trytond:1.4.13:*:*:*:*:*:*:*
- cpe:2.3:a:tryton:trytond:1.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:tryton:trytond:1.8.7:*:*:*:*:*:*:*
- cpe:2.3:a:tryton:trytond:2.0.5:*:*:*:*:*:*:*

Patches

d059ebb79240

Don't allow rpc call on ModelStorage without ModelView

https://github.com/tryton/trytondCédric KrierMar 28, 2012via ghsa

commit

2 files changed · +15 −12

CHANGELOG+1 −0 modified

@@ -1,3 +1,4 @@
+* Don't allow rpc call on ModelStorage without ModelView (CVE-2012-0215)
 * Add shared WebDAV
 * Remove workflow module
 * Simplify workflow engine

trytond/model/modelstorage.py+14 −12 modified

@@ -26,6 +26,7 @@
 from trytond.pool import Pool
 from trytond.cache import LRUDict
 from trytond.config import CONFIG
+from .modelview import ModelView
 
 
 class ModelStorage(Model):
@@ -42,18 +43,19 @@ class ModelStorage(Model):
 
     def __init__(self):
         super(ModelStorage, self).__init__()
-        self._rpc.update({
-            'create': True,
-            'read': False,
-            'write': True,
-            'delete': True,
-            'copy': True,
-            'search': False,
-            'search_count': False,
-            'search_read': False,
-            'export_data': False,
-            'import_data': True,
-        })
+        if isinstance(self, ModelView):
+            self._rpc.update({
+                'create': True,
+                'read': False,
+                'write': True,
+                'delete': True,
+                'copy': True,
+                'search': False,
+                'search_count': False,
+                'search_read': False,
+                'export_data': False,
+                'import_data': True,
+            })
         self._constraints = []
 
     def default_create_uid(self):

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

hg.tryton.org/trytond/rev/8e64d52ecea4nvdExploitPatchWEB
news.tryton.org/2012/03/security-releases-for-all-supported.htmlnvdVendor AdvisoryWEB
github.com/advisories/GHSA-cqg4-rf29-3mv6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2012-0215ghsaADVISORY
www.debian.org/security/2012/dsa-2444nvdWEB
bugs.tryton.org/issue2476nvdWEB
github.com/pypa/advisory-database/tree/main/vulns/trytond/PYSEC-2012-6.yamlghsaWEB
github.com/tryton/trytond/commit/d059ebb792401ded3129cd9402d7392dc34b81e3ghsaWEB
web.archive.org/web/20121113201043/http://news.tryton.org/2012/03/security-releases-for-all-supported.htmlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000