CVE-2019-10868
Description
In trytond/model/modelstorage.py in Tryton 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6, an authenticated user can order records based on a field for which he has no access right. This may allow the user to guess values.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Tryton before versions 4.2.21, 4.4.19, 4.6.14, 4.8.10, and 5.0.6, an authenticated user can order records by a field they lack access rights to, potentially guessing field values.
Vulnerability
The vulnerability exists in trytond/model/modelstorage.py of the Tryton server. An authenticated user can order records based on a field for which they have no explicit access right. This flaw affects Tryton versions 4.2 before 4.2.21, 4.4 before 4.4.19, 4.6 before 4.6.14, 4.8 before 4.8.10, and 5.0 before 5.0.6 [1]. The root cause is missing access validation when processing ordering criteria in database queries.
Exploitation
Exploitation requires prior authentication to the Tryton system. The attacker does not need any special privileges beyond a valid user account. By carefully crafting queries that sort results by a protected field, the attacker can infer the field's value based on the order of returned records, even without direct read permissions [1][2].
Impact
Successful exploitation leads to information disclosure. An attacker can guess the values of restricted fields by observing the order of records. For example, sorting by a salary field could reveal ranges or relative values. The impact is limited to information that can be inferred through ordering, but this could compromise sensitive business data [2].
Mitigation
The issue is fixed in Tryton versions 4.2.21, 4.4.19, 4.6.14, 4.8.10, and 5.0.6. Debian has released security update DSA-4426-1 addressing this CVE [2]. Users should upgrade to the patched versions; no workaround is documented.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
trytondPyPI | >= 4.2.0, < 4.2.21 | 4.2.21 |
trytondPyPI | >= 4.4.0, < 4.4.19 | 4.4.19 |
trytondPyPI | >= 4.6.0, < 4.6.14 | 4.6.14 |
trytondPyPI | >= 4.8.0, < 4.8.10 | 4.8.10 |
trytondPyPI | >= 5.0.0, < 5.0.6 | 5.0.6 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-f6f2-pwrj-64h3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10868ghsaADVISORY
- www.debian.org/security/2019/dsa-4426ghsavendor-advisoryx_refsource_DEBIANWEB
- discuss.tryton.org/t/security-release-for-issue8189/1262ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/trytond/PYSEC-2019-127.yamlghsaWEB
- hg.tryton.org/trytond/rev/f58bbfe0aefbghsax_refsource_MISCWEB
- seclists.org/bugtraq/2019/Apr/14ghsamailing-listx_refsource_BUGTRAQWEB
News mentions
0No linked articles in our index yet.