Incorrect access control in the TransientModel framework in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated attackers to access data in transient records that they do not own by making an RPC call before garbage collection occurs.
Affects: Odoo 9.0, 10.0, 11.0 (Community and Enterprise Editions) Component: Core Credits: Florent de Labarre CVE ID: CVE-2018-14866
I. Background
The Odoo framework includes a mechanism for managing temporary records, known as
TransientModels, for the purpose of containing transient data while a certain
screen or operation is in progress. Such records are regularly deleted by a
garbage collector job.
The security model for regulating access to TransientModels is different from
regular non-transient ones, in that there are not customizable access rights.
A default, hardcoded security policy makes those transient records accessible
only to the user who created them (the owner), and to the administrator.
II. Problem Description
The implementation of the security model for TransientModels was incomplete,
to the effect that some operations were possible by users on transient
records that they did not own.
An attacker with an unprivileged user account (even portal users) may be able to
retrieve values of fields from transient records that they did not own, via
specially crafted RPC requests, in the interval between their creation and the
automatic garbage collection.
Such transient records may include limited business or sensitive data that
should not have been accessible to the attacker.
Exploitation would however be difficult in practice, limited by the need to
actually have TransientModels that include sensitive data (which depends on
installed modules), by the need to have a privileged user populate transient
records with the data, and by the need to execute the attack in the limited time
window before the automatic garbage collection.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
No workaround is known, so applying the patch or updating is strongly
recommended.
Odoo Online servers have been patched as soon as the correction was
available.
V. Solution
Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it: https://www.odoo.com/page/download
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Security Advisory - ODOO-SA-2018-08-07-9
Incorrect access control in the TransientModel framework in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated attackers to access data in transient records that they do not own by making an RPC call before garbage collection occurs.
Affects: Odoo 9.0, 10.0, 11.0 (Community and Enterprise Editions)
Component: Core
Credits: Florent de Labarre
CVE ID: CVE-2018-14866
I. Background
The Odoo framework includes a mechanism for managing temporary records, known as
TransientModels, for the purpose of containing transient data while a certain
screen or operation is in progress. Such records are regularly deleted by a
garbage collector job.
The security model for regulating access to TransientModels is different from
regular non-transient ones, in that there are not customizable access rights.
A default, hardcoded security policy makes those transient records accessible
only to the user who created them (the owner), and to the administrator.
II. Problem Description
The implementation of the security model for TransientModels was incomplete,
to the effect that some operations were possible by users on transient
records that they did not own.
III. Impact
Attack Vector: Network exploitable
Authentication: Unprivileged user account required
CVSS3 Score: Low :: 3.5
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
An attacker with an unprivileged user account (even portal users) may be able to
retrieve values of fields from transient records that they did not own, via
specially crafted RPC requests, in the interval between their creation and the
automatic garbage collection.
Such transient records may include limited business or sensitive data that
should not have been accessible to the attacker.
Exploitation would however be difficult in practice, limited by the need to
actually have TransientModels that include sensitive data (which depends on
installed modules), by the need to have a privileged user populate transient
records with the data, and by the need to execute the attack in the limited time
window before the automatic garbage collection.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
No workaround is known, so applying the patch or updating is strongly
recommended.
Odoo Online servers have been patched as soon as the correction was
available.
V. Solution
Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
For the actual update procedure, please refer to our update instructions, valid
for all versions:
https://www.odoo.com/documentation/11.0/setup/update.html
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
The text was updated successfully, but these errors were encountered: