The module-description renderer in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier does not disable RST's local file inclusion, which allows privileged authenticated users to read local files via a crafted module description.
The description of Odoo modules can be written in several formats, including
reStructuredText (RST) format. RST syntax provides a directive to include local
system files, as a way to reuse text components.
II. Problem Description
The directive to include local system files is not deactivated by the module
description renderer.
An attacker with a privileged user account could craft a fake module
description in order to retrieve the content of local files that may contain
sensitive information.
This could be used to access the contents of Odoo configuration files and other
system files readable by the Odoo service, which could include sensitive data
such as passwords.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
Attackers exploiting this vulnerability can only access files readable
by the system user executing Odoo. Sensitive files might therefore be
protected by using filesystem-level permissions to block access to the
Odoo user.
It is very hard to effectively secure a system in this manner, so
applying the patch or updating is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was
available.
V. Solution
Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it: https://www.odoo.com/page/download
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Security Advisory - ODOO-SA-2018-08-07-13
The module-description renderer in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier does not disable RST's local file inclusion, which allows privileged authenticated users to read local files via a crafted module description.
Affects: Odoo 9.0, 10.0, 11.0 (Community and Enterprise Editions)
Component: Core
Credits: Stephane Bidoul (ACSONE SA)
CVE ID: CVE-2018-14886
I. Background
The description of Odoo modules can be written in several formats, including
reStructuredText (RST) format. RST syntax provides a directive to include local
system files, as a way to reuse text components.
II. Problem Description
The directive to include local system files is not deactivated by the module
description renderer.
III. Impact
Attack Vector: Network exploitable
Authentication: Privileged user account required
CVSS3 Score: Medium :: 6.8
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
An attacker with a privileged user account could craft a fake module
description in order to retrieve the content of local files that may contain
sensitive information.
This could be used to access the contents of Odoo configuration files and other
system files readable by the Odoo service, which could include sensitive data
such as passwords.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
Attackers exploiting this vulnerability can only access files readable
by the system user executing Odoo. Sensitive files might therefore be
protected by using filesystem-level permissions to block access to the
Odoo user.
It is very hard to effectively secure a system in this manner, so
applying the patch or updating is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was
available.
V. Solution
Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
For the actual update procedure, please refer to our update instructions, valid
for all versions:
https://www.odoo.com/documentation/11.0/setup/update.html
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
The text was updated successfully, but these errors were encountered: