Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SEC] CVE-2021-44547 - A sandboxing issue in Odoo Community 15.0 and... #107696

Closed
odony opened this issue Dec 10, 2022 · 0 comments
Closed

[SEC] CVE-2021-44547 - A sandboxing issue in Odoo Community 15.0 and... #107696

odony opened this issue Dec 10, 2022 · 0 comments
Labels
Security security announcements

Comments

@odony
Copy link
Contributor

odony commented Dec 10, 2022

Security Advisory - CVE-2021-44547

Affects: Odoo 15.0 (Community and Enterprise Editions)
CVE ID: CVE-2021-44547
Component: Core
Credits: Stephane Debauche

A sandboxing issue in Odoo Community 15.0 and Odoo Enterprise 15.0
allows authenticated administrators to executed arbitrary code,
leading to privilege escalation.

I. Background

The framework includes a rendering engine for the QWeb templating language.

II. Problem Description

A programming error in the QWeb rendering engine of Odoo 15.0 made some
sensitive interfaces available to the template code.

III. Impact

Attack Vector: Network exploitable
Authentication: Administrator or privileged account required
CVSS3 Score: High :: 8.7
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

An attacker with administrator or high privileges on a database may
upload a crafted QWeb template and use it to execute arbitrary Python
code, leading to privilege escalation on the hosting server itself.
This may be used to access any local files available to the system
user executing the Odoo service, or to modify files and execute
processes.

This would generally only be a concern on multi-tenant systems, where
administrators may not be trusted.

Odoo S.A. is not aware of any use of this vulnerability in the wild.

IV. Workaround

No workaround is available, updating to the latest revision or applying the
corresponding patch is strongly recommended.

Odoo Cloud servers have been patched as soon as the correction was available.

V. Solution

Update to the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation (links provided below).

For the actual update procedure, please refer to our update instructions, valid
for all versions: https://www.odoo.com/documentation/15.0/setup/update.html

VI. Correction details

The following list contains the patches that fix the vulnerability for
each version:

  • 15.0: 96b09b1
  • 15.0-ent (Enterprise): see 15.0
@odony odony closed this as completed Dec 10, 2022
@odoo odoo locked and limited conversation to collaborators Dec 10, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Security security announcements
Projects
None yet
Development

No branches or pull requests

1 participant