Skip to content

[SEC] CVE-2020-29396 - Affects: Odoo 11.0 through 14.0 (Community a... #63712

Closed
@odony

Description

@odony

Security Advisory - CVE-2020-29396

Affects: Odoo 11.0 through 13.0 (Community and Enterprise Editions)
CVE ID: CVE-2020-29396
Component: Core
Credits: Toufik Ben Jaa, Stéphane Debauche, Benoît FONTAINE

A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise
11.0 through 13.0, when running with Python 3.6 or later, allows remote
authenticated users to execute arbitrary code, leading to privilege escalation.

I. Background

Odoo includes a sandbox for interpreting dynamic business logic components,
such as the definition of workflows, automated actions, or the dynamic
expressions used within report templates.

II. Problem Description

The default sandbox environment was not sufficiently sanitized when running
Python 3.6 or later.

III. Impact

Attack Vector: Network exploitable
Authentication: Employee / Internal user account required
CVSS3 Score: Critical :: 9.9
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Malicious users with internal user accounts on an Odoo database
might craft special code expressions specifically targeted at escaping
the sandbox protection.

This could in turn be used to execute arbitrary code as the user running
the Odoo service, to launch system commands with access to local files and
local services.

Files and environments accessed in this manner may contain sensitive
information such as passwords that could also allow the user to gain elevated
privileges on the hosting machine itself, in addition to being able to run
commands.

Odoo S.A. is not aware of any use of this vulnerability in the wild.

IV. Workaround

There is no known workaround, applying the patches is strongly recommended.

Odoo Cloud servers have been patched as soon as the correction was available.

V. Solution

Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the
latest version from https://www.odoo.com/page/download
or http://nightly.odoo.com

To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:

   patch -p0 -f < /path/to/the_patch_file.patch

This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.

VI. Correction details

The following list contains the revisions after which the vulnerability
is corrected:

  • 11.0: 451cc81
  • 12.0: 2be4763
  • 13.0: cd32b0c
  • 13.0-ent, 12.0-ent and 11.0-ent (Enterprise): see 13.0, 12.0 and 11.0.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Securitysecurity announcements

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions