CVE-2017-10804 — Missing Authentication for Critical Function in Odoo

CWE-306 — Missing Authentication for Critical Function3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

0.9%

top 24.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Odoo Debian Odoo

Timeline

PublishedJul 4

Latest updateMay 17

Description

In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, remote attackers can bypass authentication under certain circumstances because parameters containing 0x00 characters are truncated before reaching the database layer. This occurs because Psycopg 2.x before 2.6.3 is used.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDodoo/odoo10.0, 8.0, 9.0+2

▶debiandebian/odoo

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-j3c8-pr4x-cmqw: In Odoo 8↗2022-05-17

▶

📋Vendor Advisories

Debian

CVE-2017-10804: odoo - In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9....↗2017

▶