Incorrect access control in the RPC framework in Odoo Community 8.0 through 11.0 and Odoo Enterprise 9.0 through 11.0 allows authenticated users to call private functions via RPC.
Affects: Odoo 9.0, 10.0, 11.0 (Community and Enterprise Editions) Component: Odoo Framework Credits: Nils Hamerlinck (Trobz) CVE ID: CVE-2018-14863
I. Background
As of Odoo 8.0, the Odoo framework was considerably changed by the
introduction of a new abstraction layer to communicate with the database,
dubbed the "new API".
To simplify the transition, the new API was initially written with a
backwards-compatibility layer so that it could support modules written for
older versions with limited changes.
II. Problem Description
A programming error in the backwards-compatibility layer allows bypassing the
access control and remotely accessing private functions.
III. Impact
Access Vector: Network exploitable
Access Complexity: Low Authentication: User account required CVSS3 Score: High :: 8.1 CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
By crafting a specific RPC request, malicious users (including portal users)
may call private methods, not normally exposed via the RPC API.
An attacker may be able to use them outside of the intended scope to retrieve or
alter information stored in the database.
Odoo S.A. is not aware of any malicious use of this vulnerability.
IV. Workaround
No workaround is known, applying the patch is strongly recommended.
Odoo Online servers have been patched as soon as the correction was
available.
V. Solution
Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it: https://www.odoo.com/page/download
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Security Advisory - ODOO-SA-2018-08-07-8
Incorrect access control in the RPC framework in Odoo Community 8.0 through 11.0 and Odoo Enterprise 9.0 through 11.0 allows authenticated users to call private functions via RPC.
Affects: Odoo 9.0, 10.0, 11.0 (Community and Enterprise Editions)
Component: Odoo Framework
Credits: Nils Hamerlinck (Trobz)
CVE ID: CVE-2018-14863
I. Background
As of Odoo 8.0, the Odoo framework was considerably changed by the
introduction of a new abstraction layer to communicate with the database,
dubbed the "new API".
To simplify the transition, the new API was initially written with a
backwards-compatibility layer so that it could support modules written for
older versions with limited changes.
II. Problem Description
A programming error in the backwards-compatibility layer allows bypassing the
access control and remotely accessing private functions.
III. Impact
Access Vector: Network exploitable
Access Complexity: Low
Authentication: User account required
CVSS3 Score: High :: 8.1
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
By crafting a specific RPC request, malicious users (including portal users)
may call private methods, not normally exposed via the RPC API.
An attacker may be able to use them outside of the intended scope to retrieve or
alter information stored in the database.
Odoo S.A. is not aware of any malicious use of this vulnerability.
IV. Workaround
No workaround is known, applying the patch is strongly recommended.
Odoo Online servers have been patched as soon as the correction was
available.
V. Solution
Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
For the actual update procedure, please refer to our update instructions, valid
for all versions:
https://www.odoo.com/documentation/11.0/setup/update.html
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
The text was updated successfully, but these errors were encountered: