Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SEC] CVE-2021-23176 - Improper access control in reporting engine o... #107682

Closed
odony opened this issue Dec 10, 2022 · 0 comments
Closed

[SEC] CVE-2021-23176 - Improper access control in reporting engine o... #107682

odony opened this issue Dec 10, 2022 · 0 comments
Labels
Security security announcements

Comments

@odony
Copy link
Contributor

odony commented Dec 10, 2022

Security Advisory - CVE-2021-23176

Affects: Odoo 15.0 and earlier (Community and Enterprise Editions)
CVE ID: CVE-2021-23176
Component: l10n_fr_fec
Credits: Florent Mirieu de la barre

Improper access control in reporting engine of l10n_fr_fec module in Odoo
Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows
remote authenticated users to extract accounting information via crafted
RPC packets.

I. Background

The l10n_fr_fec module is a module for the accounting localization of France
allowing to generate the Fichier d'Échange Informatisé (FEC).

II. Problem Description

The generation of the report was not properly protected and could be accessed
by users without accounting access rights.

III. Impact

Attack Vector: Network exploitable
Authentication: Employee / Portal user account required
CVSS3 Score: Medium :: 6.5
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Malicious users (including portal user accounts) on an Odoo database
might craft RPC requests specifically targeted at extracting accounting
data from the database.

Odoo S.A. is not aware of any use of this vulnerability in the wild.

IV. Workaround

Until the deployment of the patch, the l10n_fr_fec module can be
uninstalled on unpatched database. Updating to the latest revision or
applying the corresponding patch is strongly recommended.

V. Solution

Update to the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation (links provided below).

For the actual update procedure, please refer to our update instructions, valid
for all versions: https://www.odoo.com/documentation/15.0/setup/update.html

VI. Correction details

The following list contains the patches that fix the vulnerability for
each version:

  • 13.0: 0ef5489
  • 14.0: f166400
  • 15.0: 66f0a38
  • 15.0-ent, 14.0-ent, 13.0-ent (Enterprise): see 15.0, 14.0 and 13.0.
@odony odony closed this as completed Dec 10, 2022
@odoo odoo locked and limited conversation to collaborators Dec 10, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Security security announcements
Projects
None yet
Development

No branches or pull requests

1 participant