Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SEC] CVE-2021-44465 - Improper access control in Odoo Community 13.... #107692

Closed
odony opened this issue Dec 10, 2022 · 0 comments
Closed

[SEC] CVE-2021-44465 - Improper access control in Odoo Community 13.... #107692

odony opened this issue Dec 10, 2022 · 0 comments
Labels
Security security announcements

Comments

@odony
Copy link
Contributor

odony commented Dec 10, 2022

Security Advisory - CVE-2021-44465

Affects: Odoo 13.0 and earlier (Community and Enterprise Editions)
CVE ID: CVE-2021-44465
Component: Website Mail
Credits: Swapnesh Shah

Improper access control in Odoo Community 13.0 and earlier and Odoo
Enterprise 13.0 and earlier allows authenticated attackers to subscribe
to receive future notifications and comments related to arbitrary
business records in the system, via crafted RPC requests.

I. Background

The Website Mail module adds generic components to follow group discussions
on a website for external users.

II. Problem Description

Improper content validation allowed to follow arbitrary documents where the
discussion feature is available, including ones the user does not have
access to.

III. Impact

Attack Vector: Network exploitable
Authentication: None
CVSS3 Score: Medium :: 5.3
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

An attacker might craft requests to follow private documents and receive future
messages. Some documents might use the list of followers as a way to determine the
access to the parent document. This could be used as a way to escalate into
reading the content the followed document through the portal.

Odoo S.A. is not aware of any use of this vulnerability in the wild.

IV. Workaround

No workaround is available, updating to the latest revision or applying the
corresponding patch is strongly recommended.

Odoo Cloud servers have been patched as soon as the correction was available.

V. Solution

Update to the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation (links provided below).

For the actual update procedure, please refer to our update instructions, valid
for all versions: https://www.odoo.com/documentation/15.0/setup/update.html

VI. Correction details

The following list contains the patches that fix the vulnerability for
each version:

  • 13.0: ef6f86d
  • 13.0-ent (Enterprise): see 13.0.
@odony odony closed this as completed Dec 10, 2022
@odoo odoo locked and limited conversation to collaborators Dec 10, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Security security announcements
Projects
None yet
Development

No branches or pull requests

1 participant