Headline
CVE-2021-23186: [SEC] CVE-2021-23186 - A sandboxing issue in Odoo Community 15.0 and... · Issue #107688 · odoo/odoo
A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to access and modify database contents of other tenants, in a multi-tenant system.
Security Advisory - CVE-2021-23186
Affects: Odoo 15.0 and earlier (Community and Enterprise Editions)
CVE ID: CVE-2021-23186
Component: Core
Credits: Nils Hamerlinck (Trobz)
A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise
15.0 and earlier allows authenticated administrators to access and modify
database contents of other tenants, in a multi-tenant system.
I. Background
An Odoo system may host multiple databases on the same server, in a
multi-tenant fashion, while maintaining an isolation between each other.
II. Problem Description
The framework contained a programming error that allowed to escape the
isolation of the database and access other databases hosted on the same
multi-tenant system.
III. Impact
Attack Vector: Network exploitable
Authentication: Privileged user account required
CVSS3 Score: high :: 8.7
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
A malicious administrator might be able to read or modify data of another
database hosted on the same server, by crafting malicious requests.
Systems who host Odoo databases for untrusted users are particularly at risk,
(e.g. SaaS platforms), as they typically allow users to become administrators
of their own Odoo database. This is sufficient to exploit the vulnerability.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
No workaround is available, updating to the latest revision or applying the
corresponding patch is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was available.
V. Solution
Update to the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation (links provided below).
For the actual update procedure, please refer to our update instructions, valid
for all versions: https://www.odoo.com/documentation/15.0/setup/update.html
VI. Correction details
The following list contains the patches that fix the vulnerability for
each version:
- 13.0: 04e4e70
- 14.0: c1d6d4a
- 15.0: af3b181
- 15.0-ent, 14.0-ent, 13.0-ent (Enterprise): see 15.0, 14.0 and 13.0.
Related news
Debian Linux Security Advisory 5399-1 - Several vulnerabilities were discovered in odoo, a suite of web based open source business apps.