Headline
CVE-2021-23203: [SEC] CVE-2021-23203 - Improper access control in reporting engine o... · Issue #107695 · odoo/odoo
Improper access control in reporting engine of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to download PDF reports for arbitrary documents, via crafted requests.
Security Advisory - CVE-2021-23203
Affects: Odoo 14.0 through 15.0 (Community and Enterprise Editions)
CVE ID: CVE-2021-23203
Component: Report engine
Credits: Tiffany Chang, iamsushi, Ranjit Pahan, Iago Ruiz
Improper access control in reporting engine of Odoo Community 14.0
through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote
attackers to download PDF reports for arbitrary documents, via crafted
requests.
I. Background
Odoo includes a generic report engine that works on any business record,
based on report templates bundled in Odoo Apps. It uses the same Access
Control definitions as the rest of the system to determine who can open
a report and view its content.
II. Problem Description
A programming error in the report engine did not properly apply the Access
Control settings, and allowed users to access reports on unauthorized
documents.
III. Impact
Attack Vector: Network exploitable
Authentication: User account not necessarily required
CVSS3 Score: High :: 7.5
CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
This allows malicious users, including external users without a
user account, to access reports on arbitrary documents in an
affected database, as long as such a report exists.
This would not usually allow privilege escalation, but may
lead to unauthorized disclosure of sensitive information.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
No workaround is available, updating to the latest revision or applying the
corresponding patch is strongly recommended.
Odoo Cloud servers have been patched as soon as the correction was available.
V. Solution
Update to the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
If updating is not an option, you may instead apply the patch corresponding
to your Odoo installation (links provided below).
For the actual update procedure, please refer to our update instructions, valid
for all versions: https://www.odoo.com/documentation/15.0/setup/update.html
VI. Correction details
The following list contains the patches that fix the vulnerability for
each version:
- 14.0: f2c1ee5
- 15.0: Same patch as for 14.0 applies for 15.0.
- 14.0-ent and 15.0-ent (Enterprise): see 14.0.
Related news
Debian Linux Security Advisory 5399-1 - Several vulnerabilities were discovered in odoo, a suite of web based open source business apps.