Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SEC] CVE-2021-45111 - Improper access control in Odoo Community 15.... #107683

Closed
odony opened this issue Dec 10, 2022 · 0 comments
Closed

[SEC] CVE-2021-45111 - Improper access control in Odoo Community 15.... #107683

odony opened this issue Dec 10, 2022 · 0 comments
Labels
Security security announcements

Comments

@odony
Copy link
Contributor

odony commented Dec 10, 2022

Security Advisory - CVE-2021-45111

Affects: Odoo 15.0 and earlier (Community and Enterprise Editions)
CVE ID: CVE-2021-45111
Component: Core
Credits: Nils Hamerlinck (Trobz), Yenthe Van Ginneken

Improper access control in Odoo Community 15.0 and earlier and Odoo
Enterprise 15.0 and earlier allows remote authenticated users to trigger
the creation of demonstration data, including user accounts with known
credentials.

I. Background

To be able to quickly demonstrate features, demonstration data can be added to
an existing Odoo instance. This creates fake employees, products and other
demonstration data.

II. Problem Description

This feature could be triggered by any user instead of only administrators.

III. Impact

Attack Vector: Network exploitable
Authentication: Employee / Portal user account required
CVSS3 Score: High :: 7.1
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

A malicious low priviledge user (including portal user accounts) on an Odoo
database might install demonstration data and use this as a way to gain
access to restricted data or features.

Odoo S.A. is not aware of any use of this vulnerability in the wild but any case
would result on a new user "demo" being created.

IV. Workaround

No workaround is available, updating to the latest revision or applying the
corresponding patch is strongly recommended.

Odoo Cloud servers have been patched as soon as the correction was available.

V. Solution

Update to the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation (links provided below).

For the actual update procedure, please refer to our update instructions, valid
for all versions: https://www.odoo.com/documentation/15.0/setup/update.html

VI. Correction details

The following list contains the patches that fix the vulnerability for
each version:

  • 13.0: 2df06fe
  • 14.0: d326153
  • 15.0: d326153
  • 15.0-ent, 14.0-ent, 13.0-ent (Enterprise): see 15.0, 14.0 and 13.0.
@odony odony closed this as completed Dec 10, 2022
@odoo odoo locked and limited conversation to collaborators Dec 10, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Security security announcements
Projects
None yet
Development

No branches or pull requests

1 participant