Improper access control in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote authenticated attackers to e-mail themselves arbitrary files from the database, via a crafted RPC request.
Affects: Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier Component: Discuss Credits: Benoît Chenal (Excellium-services – Application Security) CVE ID: CVE-2018-15631
I. Background
Odoo includes an integrating messaging system that allows users to post notes
and messages on business documents, automatically track email replies, records
lifecycle events for documents, and provides a real-time chat.
II. Problem Description
The messaging system did not properly restrict access to private files stored in
the database.
Malicious users with a valid account (internal or external/portal) may obtain
a copy of arbitrary files stored in the database, even on documents that they
cannot access, by crafting special RPC packets.
This may allow them to access sensitive data, including invoice PDFs or
any confidential data that may be attached to business documents in the
target database.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
This vulnerability can only be exploited by users who are allowed to create
records for the "mail.message" and "mail.mail" models. Restricting create
and write access to these models via ACLs is enough to prevent exploiting
this issue. However, such restrictions would be quite drastic, especially when
applied to internal users, and may prevent users to use most features of the
system.
It is strongly recommended to update your installation to the latest version
instead (or apply the patch) in order to fix the issue without impacting other
features.
V. Solution
Update to the latest revision, either via GitHub or by downloading it: https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation.
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to the latest source
code layout of the Odoo project on GitHub. If your installation differs, please
extract the various patch hunks from the files and apply them in the appropriate
locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Security Advisory - ODOO-SA-2018-11-28-3
Improper access control in the Discuss App of Odoo Community 12.0 and earlier, and Odoo Enterprise 12.0 and earlier allows remote authenticated attackers to e-mail themselves arbitrary files from the database, via a crafted RPC request.
Affects: Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier
Component: Discuss
Credits: Benoît Chenal (Excellium-services – Application Security)
CVE ID: CVE-2018-15631
I. Background
Odoo includes an integrating messaging system that allows users to post notes
and messages on business documents, automatically track email replies, records
lifecycle events for documents, and provides a real-time chat.
II. Problem Description
The messaging system did not properly restrict access to private files stored in
the database.
III. Impact
Attack Vector: Network exploitable
Authentication: User account required
CVSS3 Score: Medium :: 6.5
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Malicious users with a valid account (internal or external/portal) may obtain
a copy of arbitrary files stored in the database, even on documents that they
cannot access, by crafting special RPC packets.
This may allow them to access sensitive data, including invoice PDFs or
any confidential data that may be attached to business documents in the
target database.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
This vulnerability can only be exploited by users who are allowed to create
records for the "mail.message" and "mail.mail" models. Restricting
createand
writeaccess to these models via ACLs is enough to prevent exploitingthis issue. However, such restrictions would be quite drastic, especially when
applied to internal users, and may prevent users to use most features of the
system.
It is strongly recommended to update your installation to the latest version
instead (or apply the patch) in order to fix the issue without impacting other
features.
V. Solution
Update to the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation.
For the actual update procedure, please refer to our update instructions, valid
for all versions: https://www.odoo.com/documentation/12.0/setup/update.html
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to the latest source
code layout of the Odoo project on GitHub. If your installation differs, please
extract the various patch hunks from the files and apply them in the appropriate
locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
The text was updated successfully, but these errors were encountered: