Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SEC] ODOO-SA-2018-11-28-1 (CVE-2018-15640) - Improper access control in the... #32514

Closed
odony opened this issue Apr 8, 2019 · 0 comments
Closed
Labels
Security security announcements

Comments

@odony
Copy link
Contributor

odony commented Apr 8, 2019

Security Advisory - ODOO-SA-2018-11-28-1

Improper access control in the Helpdesk App of Odoo Enterprise 10.0 through 12.0 allows remote authenticated attackers to obtain elevated privileges via a crafted request.

Affects: Odoo 10.0 Enterprise through 12.0 (Enterprise Editions only)
Component: Helpdesk
Credits: Martin Trigaux and Jérôme Maes
CVE ID: CVE-2018-15640

I. Background

Odoo's Helpdesk App provides multi-channel customer service, with tools
for managing SLA rules, automated actions and team productivity objectives.

II. Problem Description

The web route used to allow helpdesk agents to change their own productivity
targets did not properly control access, and could allow any user to modify
arbitrary attributes of their own user profile.

III. Impact

Attack Vector: Network exploitable
Authentication: User account required
CVSS3 Score: High :: 8.1
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

A malicious user (including external portal users) could craft a request
to alter arbitrary attributes of their own user profile, including sensitive
attributes like the user group they belong to.
This would allow them to gain elevated privileges on the system.

This vulnerability only affects Odoo Enterprise deployments where the Helpdesk
application is installed.

Odoo S.A. is not aware of any use of this vulnerability in the wild.

IV. Workaround

Uninstalling the Helpdesk App is the only known workaround to prevent
exploiting this vulnerability, at the expense of losing all the features of that
App, and causing other parts of the Odoo deployment to stop working (depending
on the version and other installed Apps).

Applying the patch is strongly recommended.

Odoo Online servers have been patched as soon as the correction was available.

V. Solution

Update to the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation.

For the actual update procedure, please refer to our update instructions, valid
for all versions: https://www.odoo.com/documentation/12.0/setup/update.html

If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:

   patch -p0 -f < /path/to/the_patch_file.patch

This command assumes your installation layout corresponds to the latest source
code layout of the Odoo project on GitHub. If your installation differs, please
extract the various patch hunks from the files and apply them in the appropriate
locations.

VI. Correction details

The following list contains the revisions after which the vulnerability
is corrected:

  • 10.0-ent: odoo/enterprise@410e038dd4e561143d741862203e7f3ed69f326a
  • 11.0-ent: odoo/enterprise@f4598e62c342f4a80eba3fc9e04136af8e2ceeea
  • 12.0-ent: odoo/enterprise@677d637ae7ff15a8be19063a049ca22f19851857
  • Community Editions of Odoo are not impacted by this vulnerability.
@odony odony added the Security security announcements label Apr 8, 2019
@odony odony closed this as completed Apr 8, 2019
@odoo odoo locked and limited conversation to collaborators Apr 8, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Security security announcements
Projects
None yet
Development

No branches or pull requests

1 participant