CVE-2020-29396 — Privilege Defined With Unsafe Actions in Community

CWE-267 — Privilege Defined With Unsafe Actions CWE-269 — Improper Privilege Management5 documents5 sources

Severity

8.8HIGHNVD

EPSS

1.8%

top 17.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Odoo Community Odoo Enterprise Odoo +2 more

Timeline

PublishedDec 22

Latest updateMay 24

Description

A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0, when running with Python 3.6 or later, allows remote authenticated users to execute arbitrary code, leading to privilege escalation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶CVEListV5odoo/odoo_community11.0 — unspecified+1

▶CVEListV5odoo/odoo_enterprise11.0 — unspecified+1

▶NVDodoo/odoo11.0 — 13.0

▶debiandebian/odoo

▶msrcmsrc/cm1_python3_3.7.10-3_on_cbl_mariner_1.0

Patches

Patch: github.com ↗Patch: www.oracle.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-fg5r-c9qq-q3wm: A sandboxing issue in Odoo Community 11↗2022-05-24

▶

OSV

CVE-2020-29396: A sandboxing issue in Odoo Community 11↗2020-12-22

▶

📋Vendor Advisories

Microsoft

A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0 when running with Python 3.6 or later allows remote authenticated users to execute arbitrary code leading t↗2020-12-08

▶

Debian

CVE-2020-29396: odoo - A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 ...↗2020

▶