CVE-2018-15632 - OpenCVE

Improper input validation in database creation logic in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to initialize an empty database on which they can connect with default credentials.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Complete

AV:N/AC:L/Au:N/C:N/I:P/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Odoo	Odoo

Configuration 1 [-]

OR	cpe:2.3:a:odoo:odoo:::::community:::*
	cpe:2.3:a:odoo:odoo:::::enterprise:::*

References

Link	Resource
https://github.com/odoo/odoo/issues/63700	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: odoo

Published: 2020-12-22T16:25:31

Updated: 2020-12-22T16:25:31

Reserved: 2018-08-21T00:00:00

Link: CVE-2018-15632

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-12-22T17:15:12.487

Modified: 2020-12-22T20:04:57.467

Link: CVE-2018-15632

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"containers": {"cna": {"affected": [{"product": "Odoo Community", "vendor": "Odoo", "versions": [{"lessThanOrEqual": "11.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Odoo Enterprise", "vendor": "Odoo", "versions": [{"lessThanOrEqual": "11.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "P. Valov (SoCyber)"}], "descriptions": [{"lang": "en", "value": "Improper input validation in database creation logic in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to initialize an empty database on which they can connect with default credentials."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-12-22T16:25:31", "orgId": "22c90092-d340-4fb8-a06e-f1193e012523", "shortName": "odoo"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/odoo/odoo/issues/63700"}], "source": {"advisory": "ODOO-SA-2020-12-02", "discovery": "EXTERNAL"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@odoo.com", "ID": "CVE-2018-15632", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Odoo Community", "version": {"version_data": [{"version_affected": "<=", "version_value": "11.0"}]}}, {"product_name": "Odoo Enterprise", "version": {"version_data": [{"version_affected": "<=", "version_value": "11.0"}]}}]}, "vendor_name": "Odoo"}]}}, "credit": [{"lang": "eng", "value": "P. Valov (SoCyber)"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Improper input validation in database creation logic in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to initialize an empty database on which they can connect with default credentials."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": " CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://github.com/odoo/odoo/issues/63700", "refsource": "MISC", "url": "https://github.com/odoo/odoo/issues/63700"}]}, "source": {"advisory": "ODOO-SA-2020-12-02", "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523", "assignerShortName": "odoo", "cveId": "CVE-2018-15632", "datePublished": "2020-12-22T16:25:31", "dateReserved": "2018-08-21T00:00:00", "dateUpdated": "2020-12-22T16:25:31", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*", "matchCriteriaId": "D9126A1A-FA35-4127-91B3-A3FA8B26FABB", "versionEndIncluding": "11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "9ACA123F-EF25-4E9D-8D60-4368B2F25FA0", "versionEndIncluding": "11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Improper input validation in database creation logic in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to initialize an empty database on which they can connect with default credentials."}, {"lang": "es", "value": "Una comprobaci\u00f3n de entrada inapropiada en la l\u00f3gica de creaci\u00f3n de la base de datos en Odoo Community versiones 11.0 y anteriores y Odoo Enterprise versiones 11.0 y anteriores, permite a atacantes remotos inicializar una base de datos vac\u00eda en la que pueden conectarse con las credenciales predeterminadas"}], "id": "CVE-2018-15632", "lastModified": "2020-12-22T20:04:57.467", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 8.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 7.8, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security@odoo.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-12-22T17:15:12.487", "references": [{"source": "security@odoo.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/odoo/odoo/issues/63700"}], "sourceIdentifier": "security@odoo.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@odoo.com", "type": "Secondary"}]}