A sandboxing issue in Odoo Community 15.0 and Odoo Enterprise 15.0
allows authenticated administrators to executed arbitrary code,
leading to privilege escalation.
I. Background
The framework includes a rendering engine for the QWeb templating language.
II. Problem Description
A programming error in the QWeb rendering engine of Odoo 15.0 made some
sensitive interfaces available to the template code.
III. Impact
Attack Vector: Network exploitable Authentication: Administrator or privileged account required CVSS3 Score: High :: 8.7 CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
An attacker with administrator or high privileges on a database may
upload a crafted QWeb template and use it to execute arbitrary Python
code, leading to privilege escalation on the hosting server itself.
This may be used to access any local files available to the system
user executing the Odoo service, or to modify files and execute
processes.
This would generally only be a concern on multi-tenant systems, where
administrators may not be trusted.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
No workaround is available, updating to the latest revision or applying the
corresponding patch is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was available.
V. Solution
Update to the latest revision, either via GitHub or by downloading it: https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation (links provided below).
Security Advisory - CVE-2021-44547
Affects: Odoo 15.0 (Community and Enterprise Editions)
CVE ID: CVE-2021-44547
Component: Core
Credits: Stephane Debauche
A sandboxing issue in Odoo Community 15.0 and Odoo Enterprise 15.0
allows authenticated administrators to executed arbitrary code,
leading to privilege escalation.
I. Background
The framework includes a rendering engine for the QWeb templating language.
II. Problem Description
A programming error in the QWeb rendering engine of Odoo 15.0 made some
sensitive interfaces available to the template code.
III. Impact
Attack Vector: Network exploitable
Authentication: Administrator or privileged account required
CVSS3 Score: High :: 8.7
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
An attacker with administrator or high privileges on a database may
upload a crafted QWeb template and use it to execute arbitrary Python
code, leading to privilege escalation on the hosting server itself.
This may be used to access any local files available to the system
user executing the Odoo service, or to modify files and execute
processes.
This would generally only be a concern on multi-tenant systems, where
administrators may not be trusted.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
No workaround is available, updating to the latest revision or applying the
corresponding patch is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was available.
V. Solution
Update to the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation (links provided below).
For the actual update procedure, please refer to our update instructions, valid
for all versions: https://www.odoo.com/documentation/15.0/setup/update.html
VI. Correction details
The following list contains the patches that fix the vulnerability for
each version:
The text was updated successfully, but these errors were encountered: