Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SEC] CVE-2019-11782 - Affects: Odoo 14.0 and earlier (Community an... #63707

Closed
odony opened this issue Dec 22, 2020 · 0 comments
Closed

[SEC] CVE-2019-11782 - Affects: Odoo 14.0 and earlier (Community an... #63707

odony opened this issue Dec 22, 2020 · 0 comments
Labels
Security security announcements

Comments

@odony
Copy link
Contributor

odony commented Dec 22, 2020

Security Advisory - CVE-2019-11782

Affects: Odoo 14.0 and earlier (Community and Enterprise Editions)
CVE ID: CVE-2019-11782
Component: Portal
Credits: Damien LESCOS

Improper access control in Odoo Community 14.0 and earlier and Odoo Enterprise
14.0 and earlier, allows remote authenticated users with access to contact
management to modify user accounts, leading to privilege escalation

I. Background

Odoo includes a Portal feature, used to grant a limited access to
customers and suppliers. It is typically used to let them see
their orders, invoices, or support tickets.

The Portal module that provides this feature comes with a "Portal Access
Management" wizard that can be used by employees with limited privileges
(such as Sales Representatives) to grant portal access to their customers.

II. Problem Description

Insufficient validation of wizard parameters could allow unprivileged
users to modify other users.

III. Impact

Attack Vector: Network exploitable
Authentication: Employee / Internal User account required
CVSS3 Score: High :: 8.1
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

A malicious employee / internal user with access to contact management
could craft a special request to modify the contact information of
another user. This could be used to take over the victim's account,
and lead to privilege escalation.

Odoo S.A. is not aware of any use of this vulnerability in the wild.

IV. Workaround

For version 14.0, administrators may mitigate the problem by blocking
access to the "Portal User Config" model (portal.wizard.user) to
non-administrators, by removing the "Create" and "Write" permissions.
This technique will not work for previous versions.

Applying the patches is strongly recommended.

Odoo Cloud servers have been patched as soon as the correction was available.

V. Solution

Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the
latest version from https://www.odoo.com/page/download
or http://nightly.odoo.com

To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:

   patch -p0 -f < /path/to/the_patch_file.patch

This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.

VI. Correction details

The following list contains the revisions after which the vulnerability
is corrected:

  • 11.0: ec541ce
  • 12.0: e56c5f4
  • 13.0: c4462a4
  • 14.0: c0964b3
  • 14.0-ent, 13.0-ent, 12.0-ent and 11.0-ent (Enterprise): see 14.0, 13.0,
    12.0 and 11.0.
@odony odony added the Security security announcements label Dec 22, 2020
@odony odony closed this as completed Dec 22, 2020
@odoo odoo locked and limited conversation to collaborators Dec 22, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Security security announcements
Projects
None yet
Development

No branches or pull requests

1 participant