Medium severity5.3NVD Advisory· Published Sep 7, 2016· Updated May 6, 2026

CVE-2016-1241

Description

Tryton 3.x before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allow remote authenticated users to discover user password hashes via unspecified vectors.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
trytondPyPI	>= 3.0.0, < 3.2.17	3.2.17
trytondPyPI	>= 3.4.0, < 3.4.14	3.4.14
trytondPyPI	>= 3.8.0, < 3.8.8	3.8.8
trytondPyPI	>= 3.6.0, < 3.6.12	3.6.12
trytondPyPI	>= 4.0.0, < 4.0.4	4.0.4

Affected products

ghsa-coords
pkg:pypi/trytond
Range: >= 3.0.0, < 3.2.17

Patches

11424d57b783

Add test about reading password hash

https://github.com/tryton/trytondCédric KrierAug 30, 2016via ghsa

commit

1 file changed · +7 −0

trytond/tests/test_user.py+7 −0 modified

@@ -37,6 +37,7 @@ def create_user(self, login, password, hash_method=None):
             User.write([user], {
                     'password': password,
                     })
+        return user
 
     def check_user(self, login, password):
         pool = Pool()
@@ -72,6 +73,12 @@ def test_test_bcrypt(self):
         self.create_user('user', '12345', 'bcrypt')
         self.check_user('user', '12345')
 
+    @with_transaction()
+    def test_read_password_hash(self):
+        "Test password_hash can not be read"
+        user = self.create_user('user', '12345')
+        self.assertIsNone(user.password_hash)
+
 
 def suite():
     return unittest.TestLoader().loadTestsFromTestCase(UserTestCase)

30d2a6dcaf09

Prevent read of user password hash

https://github.com/tryton/trytondCédric KrierAug 30, 2016via ghsa

commit

2 files changed · +9 −0

CHANGELOG+1 −0 modified

@@ -1,3 +1,4 @@
+* Prevent read of user password hash (CVE-2016-1241)
 * Add database dump cache for tests
 * Remove unused tools: find_in_path, exec_command_pipe and mod10r
 * Implementation of drop_column for SQLite

trytond/res/user.py+8 −0 modified

@@ -232,6 +232,14 @@ def _convert_vals(vals):
             vals['menu'] = Action.get_action_id(vals['menu'])
         return vals
 
+    @classmethod
+    def read(cls, ids, fields_names=None):
+        result = super(User, cls).read(ids, fields_names=fields_names)
+        if not fields_names or 'password_hash' in fields_names:
+            for values in result:
+                values['password_hash'] = None
+        return result
+
     @classmethod
     def create(cls, vlist):
         vlist = [cls._convert_vals(vals) for vals in vlist]

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

www.debian.org/security/2016/dsa-3656nvdThird Party AdvisoryWEB
www.tryton.org/posts/security-release-for-issue5795-and-issue5808.htmlnvdVendor AdvisoryWEB
github.com/advisories/GHSA-52j9-v3jc-9xgcghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2016-1241ghsaADVISORY
bugs.tryton.org/issue5795nvdIssue TrackingWEB
github.com/pypa/advisory-database/tree/main/vulns/tryton/PYSEC-2016-40.yamlghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/trytond/PYSEC-2016-12.yamlghsaWEB
github.com/tryton/trytond/commit/11424d57b7838381745655e2e89470ff9087cd27ghsaWEB
github.com/tryton/trytond/commit/30d2a6dcaf09340829cd70ee8a15a4941ca7161aghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000