Skip to content

[SEC] CVE-2021-23166 - A sandboxing issue in Odoo Community 15.0 and... #107687

Closed
@odony

Description

@odony

Security Advisory - CVE-2021-23166

Affects: Odoo 15.0 and earlier (Community and Enterprise Editions)
CVE ID: CVE-2021-23166
Component: Core
Credits: Nils Hamerlinck (Trobz)

A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise
15.0 and earlier allows authenticated administrators to read and write
local files on the server.

I. Background

Odoo uses the Python library psycopg2 to interact with the PostgreSQL database.

II. Problem Description

The pyscopg2 library could be abused to access the local files of the server
running the Odoo instance.

III. Impact

Attack Vector: Network exploitable
Authentication: Privileged user account required
CVSS3 Score: high :: 8.7
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

A malicious administrator might be able to read or modify sensitive files stored
on the server such as protected configuration secrets.

Systems who host Odoo databases for untrusted users are particularly at risk,
(e.g. SaaS platforms), as they typically allow users to become administrators
of their own Odoo database. This is sufficient to exploit the vulnerability.

Odoo S.A. is not aware of any use of this vulnerability in the wild.

IV. Workaround

No workaround is available, updating to the latest revision or applying the
corresponding patch is strongly recommended.

Odoo Cloud servers have been patched as soon as the correction was available.

V. Solution

Update to the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation (links provided below).

For the actual update procedure, please refer to our update instructions, valid
for all versions: https://www.odoo.com/documentation/15.0/setup/update.html

VI. Correction details

The following list contains the patches that fix the vulnerability for
each version:

  • 13.0: c306ce2
  • 14.0: 1f1e03f
  • 15.0: 0122cb3
  • 15.0-ent, 14.0-ent, 13.0-ent (Enterprise): see 15.0, 14.0 and 13.0.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Securitysecurity announcements

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions