Incorrect access control in asset bundles in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows remote authenticated users to inject arbitrary web script via a crafted attachment.
Affects: Odoo 8.0, 9.0, 10.0 (Community and Enterprise Editions) Component: Core Credits: Nils Hamerlinck (Trobz) CVE ID: CVE-2018-14864
I. Background
Odoo's framework includes an automatic mechanism for minifying and
bundling web assets, in order to speed up page loads. This works by
grouping related assets in "bundles", and minifying them together
as a simple file that can be compressed and loaded faster.
As computing and compiling assets is an expensive operation, asset
bundles are cached and stored in the database and file store.
II. Problem Description
The mechanism used to locate and serve cached assets bundles did not
sufficiently validate the origin of the cached files.
III. Impact
Attack Vector: Network exploitable Authentication: Unprivileged user account required CVSS3 Score: Medium :: 6.3 CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N/E:P/RL:O/RC:C
An attacker with a non privileged user account (including a simple portal
user account) could upload a specially crafted attachment in order to
poison the asset bundle cache, and inject arbitrary assets
(JavaScript and CSS code). This could be used to hijack the sessions of
any user accessing the Odoo database via a web browser and allow the
attacker to gain elevated privileges.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
For portal users: administrators can modify the Access Control for
Attachments (ir.attachment) and prevent external users (also know as
"portal users") from creating or modifying attachments. External users
do not normally need this permission except for posting messages with
attachments in the portal, which is an acceptable trade-off.
For internal users: administrators could further modify Access Control to
prevent everyone from creating/modifying Attachments (ir.attachment).
This will entirely prevent exploiting this vulnerability, but comes with
a great functional impact. Many business processes will be disrupted, so
this should only be used as a temporary solution, until the patch can
be applied.
For Odoo Online: all servers have been patched as soon as the correction
was available.
V. Solution
Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it: https://www.odoo.com/page/download
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Security Advisory - ODOO-SA-2018-08-07-2
Incorrect access control in asset bundles in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows remote authenticated users to inject arbitrary web script via a crafted attachment.
Affects: Odoo 8.0, 9.0, 10.0 (Community and Enterprise Editions)
Component: Core
Credits: Nils Hamerlinck (Trobz)
CVE ID: CVE-2018-14864
I. Background
Odoo's framework includes an automatic mechanism for minifying and
bundling web assets, in order to speed up page loads. This works by
grouping related assets in "bundles", and minifying them together
as a simple file that can be compressed and loaded faster.
As computing and compiling assets is an expensive operation, asset
bundles are cached and stored in the database and file store.
II. Problem Description
The mechanism used to locate and serve cached assets bundles did not
sufficiently validate the origin of the cached files.
III. Impact
Attack Vector: Network exploitable
Authentication: Unprivileged user account required
CVSS3 Score: Medium :: 6.3
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N/E:P/RL:O/RC:C
An attacker with a non privileged user account (including a simple portal
user account) could upload a specially crafted attachment in order to
poison the asset bundle cache, and inject arbitrary assets
(JavaScript and CSS code). This could be used to hijack the sessions of
any user accessing the Odoo database via a web browser and allow the
attacker to gain elevated privileges.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
For portal users: administrators can modify the Access Control for
Attachments (
ir.attachment) and prevent external users (also know as"portal users") from creating or modifying attachments. External users
do not normally need this permission except for posting messages with
attachments in the portal, which is an acceptable trade-off.
For internal users: administrators could further modify Access Control to
prevent everyone from creating/modifying Attachments (
ir.attachment).This will entirely prevent exploiting this vulnerability, but comes with
a great functional impact. Many business processes will be disrupted, so
this should only be used as a temporary solution, until the patch can
be applied.
For Odoo Online: all servers have been patched as soon as the correction
was available.
V. Solution
Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
For the actual update procedure, please refer to our update instructions, valid
for all versions:
https://www.odoo.com/documentation/11.0/setup/update.html
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
The text was updated successfully, but these errors were encountered: