Headline
CVE-2021-45111: [SEC] CVE-2021-45111 - Improper access control in Odoo Community 15.... · Issue #107683 · odoo/odoo
Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to trigger the creation of demonstration data, including user accounts with known credentials.
Security Advisory - CVE-2021-45111
Affects: Odoo 15.0 and earlier (Community and Enterprise Editions)
CVE ID: CVE-2021-45111
Component: Core
Credits: Nils Hamerlinck (Trobz), Yenthe Van Ginneken
Improper access control in Odoo Community 15.0 and earlier and Odoo
Enterprise 15.0 and earlier allows remote authenticated users to trigger
the creation of demonstration data, including user accounts with known
credentials.
I. Background
To be able to quickly demonstrate features, demonstration data can be added to
an existing Odoo instance. This creates fake employees, products and other
demonstration data.
II. Problem Description
This feature could be triggered by any user instead of only administrators.
III. Impact
Attack Vector: Network exploitable
Authentication: Employee / Portal user account required
CVSS3 Score: High :: 7.1
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
A malicious low priviledge user (including portal user accounts) on an Odoo
database might install demonstration data and use this as a way to gain
access to restricted data or features.
Odoo S.A. is not aware of any use of this vulnerability in the wild but any case
would result on a new user “demo” being created.
IV. Workaround
No workaround is available, updating to the latest revision or applying the
corresponding patch is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was available.
V. Solution
Update to the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation (links provided below).
For the actual update procedure, please refer to our update instructions, valid
for all versions: https://www.odoo.com/documentation/15.0/setup/update.html
VI. Correction details
The following list contains the patches that fix the vulnerability for
each version:
- 13.0: 2df06fe
- 14.0: d326153
- 15.0: d326153
- 15.0-ent, 14.0-ent, 13.0-ent (Enterprise): see 15.0, 14.0 and 13.0.
Related news
Debian Linux Security Advisory 5399-1 - Several vulnerabilities were discovered in odoo, a suite of web based open source business apps.