OpenCVE

Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to trigger the creation of demonstration data, including user accounts with known credentials.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Odoo	Odoo

Configuration 1 [-]

OR	cpe:2.3:a:odoo:odoo:::::community:::*
	cpe:2.3:a:odoo:odoo:::::enterprise:::*

No data.

References

Link	Providers
https://github.com/odoo/odoo/issues/107683
https://www.debian.org/security/2023/dsa-5399

History

No history.

MITRE

Status: PUBLISHED

Assigner: odoo

Published: 2023-04-25T18:33:00.392Z

Updated: 2024-08-04T04:39:20.253Z

Reserved: 2021-12-27T06:14:42.059Z

Link: CVE-2021-45111

Vulnrichment

Updated: 2024-08-04T04:39:20.253Z

NVD

Status : Modified

Published: 2023-04-25T19:15:10.020

Modified: 2024-11-21T06:31:59.163

Link: CVE-2021-45111

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-45111", "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523", "state": "PUBLISHED", "assignerShortName": "odoo", "dateReserved": "2021-12-27T06:14:42.059Z", "datePublished": "2023-04-25T18:33:00.392Z", "dateUpdated": "2024-08-04T04:39:20.253Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "22c90092-d340-4fb8-a06e-f1193e012523", "shortName": "odoo", "dateUpdated": "2024-07-15T00:27:54.327174Z"}, "affected": [{"vendor": "Odoo", "product": "Odoo Community", "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "15.0", "versionType": "semver"}]}, {"vendor": "Odoo", "product": "Odoo Enterprise", "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "15.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to trigger the creation of demonstration data, including user accounts with known credentials."}], "references": [{"url": "https://github.com/odoo/odoo/issues/107683"}, {"url": "https://www.debian.org/security/2023/dsa-5399"}], "metrics": [{"format": "CVSS", "cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-284", "description": "Improper Access Control", "type": "CWE"}]}], "credits": [{"lang": "eng", "value": "Nils Hamerlinck", "type": "finder"}, {"lang": "eng", "value": "Yenthe Van Ginneken", "type": "finder"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-16T13:41:04.565422Z", "id": "CVE-2021-45111", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-16T13:41:21.387Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:39:20.253Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/odoo/odoo/issues/107683", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5399", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/odoo/odoo/issues/107683", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5399", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:39:20.253Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-45111", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-16T13:41:04.565422Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-16T13:41:16.543Z"}}], "cna": {"credits": [{"lang": "eng", "type": "finder", "value": "Nils Hamerlinck"}, {"lang": "eng", "type": "finder", "value": "Yenthe Van Ginneken"}], "metrics": [{"format": "CVSS", "cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Odoo", "product": "Odoo Community", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "15.0"}], "defaultStatus": "unaffected"}, {"vendor": "Odoo", "product": "Odoo Enterprise", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "15.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/odoo/odoo/issues/107683"}, {"url": "https://www.debian.org/security/2023/dsa-5399"}], "descriptions": [{"lang": "en", "value": "Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to trigger the creation of demonstration data, including user accounts with known credentials."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "Improper Access Control"}]}], "providerMetadata": {"orgId": "22c90092-d340-4fb8-a06e-f1193e012523", "shortName": "odoo", "dateUpdated": "2024-07-15T00:27:54.327174Z"}}}, "cveMetadata": {"cveId": "CVE-2021-45111", "state": "PUBLISHED", "dateUpdated": "2024-08-04T04:39:20.253Z", "dateReserved": "2021-12-27T06:14:42.059Z", "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523", "datePublished": "2023-04-25T18:33:00.392Z", "assignerShortName": "odoo"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*", "matchCriteriaId": "C5B912BD-1FB4-418A-9CE3-FBE0903D70BA", "versionEndIncluding": "15.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "2BFAF5BD-20F9-402C-B7EB-4E0294A572AE", "versionEndIncluding": "15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Improper access control in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows remote authenticated users to trigger the creation of demonstration data, including user accounts with known credentials."}], "id": "CVE-2021-45111", "lastModified": "2024-11-21T06:31:59.163", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security@odoo.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-04-25T19:15:10.020", "references": [{"source": "security@odoo.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://github.com/odoo/odoo/issues/107683"}, {"source": "security@odoo.com", "url": "https://www.debian.org/security/2023/dsa-5399"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://github.com/odoo/odoo/issues/107683"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.debian.org/security/2023/dsa-5399"}], "sourceIdentifier": "security@odoo.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security@odoo.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}