Improper access control in the computed fields system of the framework of Odoo Community 13.0 and Odoo Enterprise 13.0 allows remote authenticated attackers to access sensitive information via crafted RPC requests, which could lead to privilege escalation.
Affects: Odoo Community Edition 13.0 and Odoo Enterprise Edition 13.0 Component: Core/Framework Credits: Swapnesh Shah CVE ID: CVE-2019-11780
I. Background
The Odoo Framework includes a facility for automatically computed fields,
that can be cached in the database (stored fields), or only computed on
the fly.
As of Odoo 13.0, changes in the framework include a modification of the
default behavior for computed fields, they are now computed in "super-user"
by default. Previously this option needed to be explicitly set in the field
declaration.
II. Problem Description
Computing stored fields in super-user mode makes sense because the result
must not depend on the user that is triggering the computation. Proper ACLs
will still apply when it comes to accessing the field value after computation.
However non-stored fields may have values that depend on the context of the
call that computes them, including the current user and its access level.
A malicious user (including external portal users) could craft a request to
trigger the computation of non-stored fields that could reveal sensitive
information, and bypass the intented access rights definition, leading
to privilege escalation.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
There is no known workaround, applying the patches is strongly recommended.
Odoo Cloud servers (Odoo Online and Odoo.sh) have been patched as soon as
the correction was available.
V. Solution
Update to the latest revision, either via GitHub or by downloading it: https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation.
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to the latest source
code layout of the Odoo project on GitHub. If your installation differs, please
extract the various patch hunks from the files and apply them in the appropriate
locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Security Advisory - ODOO-SA-2019-10-25-1
Improper access control in the computed fields system of the framework of Odoo Community 13.0 and Odoo Enterprise 13.0 allows remote authenticated attackers to access sensitive information via crafted RPC requests, which could lead to privilege escalation.
Affects: Odoo Community Edition 13.0 and Odoo Enterprise Edition 13.0
Component: Core/Framework
Credits: Swapnesh Shah
CVE ID: CVE-2019-11780
I. Background
The Odoo Framework includes a facility for automatically computed fields,
that can be cached in the database (stored fields), or only computed on
the fly.
As of Odoo 13.0, changes in the framework include a modification of the
default behavior for computed fields, they are now computed in "super-user"
by default. Previously this option needed to be explicitly set in the field
declaration.
II. Problem Description
Computing stored fields in super-user mode makes sense because the result
must not depend on the user that is triggering the computation. Proper ACLs
will still apply when it comes to accessing the field value after computation.
However non-stored fields may have values that depend on the context of the
call that computes them, including the current user and its access level.
III. Impact
Attack Vector: Network exploitable
Authentication: User account required
CVSS3 Score: High :: 8.1
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
A malicious user (including external portal users) could craft a request to
trigger the computation of non-stored fields that could reveal sensitive
information, and bypass the intented access rights definition, leading
to privilege escalation.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
There is no known workaround, applying the patches is strongly recommended.
Odoo Cloud servers (Odoo Online and Odoo.sh) have been patched as soon as
the correction was available.
V. Solution
Update to the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation.
For the actual update procedure, please refer to our update instructions, valid
for all versions: https://www.odoo.com/documentation/13.0/setup/update.html
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to the latest source
code layout of the Odoo project on GitHub. If your installation differs, please
extract the various patch hunks from the files and apply them in the appropriate
locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
For Odoo Enterprise 13.0, both patches are required.
The text was updated successfully, but these errors were encountered: