CVE-2021-23203 — Improper Access Control in Odoo

CWE-284 — Improper Access Control CWE-863 — Incorrect Authorization5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.7%

top 28.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Odoo Debian Odoo Odoo Community +1 more

Timeline

PublishedApr 25

Description

Improper access control in reporting engine of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to download PDF reports for arbitrary documents, via crafted requests.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5odoo/odoo_community14.0 — 15.0

▶CVEListV5odoo/odoo_enterprise14.0 — 15.0

▶debiandebian/odoo< odoo 14.0.0+dfsg.2-7+deb11u1 (bullseye)

▶Debianodoo/odoo< 14.0.0+dfsg.2-7+deb11u1

▶NVDodoo/odoo14.0, 15.0+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2021-23203: Improper access control in reporting engine of Odoo Community 14↗2023-04-25

▶

GHSA

GHSA-5fvm-8263-p85v: Improper access control in reporting engine of Odoo Community 14↗2023-04-25

▶

📋Vendor Advisories

Debian

CVE-2021-23203: odoo - Improper access control in reporting engine of Odoo Community 14.0 through 15.0,...↗2021

▶