CVE-2021-23186 - Vulnerability Details - OpenCVE

A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to access and modify database contents of other tenants, in a multi-tenant system.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Odoo	Odoo

Configuration 1 [-]

OR	cpe:2.3:a:odoo:odoo:::::community:::*
	cpe:2.3:a:odoo:odoo:::::enterprise:::*

No data.

References

Link	Providers
https://github.com/odoo/odoo/issues/107688
https://www.debian.org/security/2023/dsa-5399

History

No history.

MITRE

Status: PUBLISHED

Assigner: odoo

Published: 2023-04-25T18:33:36.536Z

Updated: 2024-08-03T19:05:53.896Z

Reserved: 2021-12-27T06:19:18.852Z

Link: CVE-2021-23186

Vulnrichment

Updated: 2024-08-03T19:05:53.896Z

NVD

Status : Modified

Published: 2023-04-25T19:15:09.340

Modified: 2024-11-21T05:51:20.653

Link: CVE-2021-23186

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2021-23186", "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523", "state": "PUBLISHED", "assignerShortName": "odoo", "dateReserved": "2021-12-27T06:19:18.852Z", "datePublished": "2023-04-25T18:33:36.536Z", "dateUpdated": "2024-08-03T19:05:53.896Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "22c90092-d340-4fb8-a06e-f1193e012523", "shortName": "odoo", "dateUpdated": "2024-07-15T00:27:54.327174Z"}, "affected": [{"vendor": "Odoo", "product": "Odoo Community", "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "15.0", "versionType": "semver"}]}, {"vendor": "Odoo", "product": "Odoo Enterprise", "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "15.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to access and modify database contents of other tenants, in a multi-tenant system."}], "references": [{"url": "https://github.com/odoo/odoo/issues/107688"}, {"url": "https://www.debian.org/security/2023/dsa-5399"}], "metrics": [{"format": "CVSS", "cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-267", "description": "Privilege Defined With Unsafe Actions", "type": "CWE"}]}], "credits": [{"lang": "eng", "value": "Nils Hamerlinck", "type": "finder"}]}, "adp": [{"affected": [{"vendor": "odoo", "product": "odoo_community", "cpes": ["cpe:2.3:a:odoo:odoo_community:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "15.0", "versionType": "semver"}]}, {"vendor": "odoo", "product": "odoo_enterprise", "cpes": ["cpe:2.3:a:odoo:odoo_enterprise:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "15.0", "versionType": "semver"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-17T20:54:45.816025Z", "id": "CVE-2021-23186", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-17T20:57:01.095Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:05:53.896Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/odoo/odoo/issues/107688", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5399", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/odoo/odoo/issues/107688", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5399", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:05:53.896Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-23186", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-07-17T20:54:45.816025Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:odoo:odoo_community:*:*:*:*:*:*:*:*"], "vendor": "odoo", "product": "odoo_community", "versions": [{"status": "affected", "version": "0", "lessThan": "15.0", "versionType": "semver"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:odoo:odoo_enterprise:*:*:*:*:*:*:*:*"], "vendor": "odoo", "product": "odoo_enterprise", "versions": [{"status": "affected", "version": "0", "lessThan": "15.0", "versionType": "semver"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-17T20:56:39.200Z"}}], "cna": {"credits": [{"lang": "eng", "type": "finder", "value": "Nils Hamerlinck"}], "metrics": [{"format": "CVSS", "cvssV3_0": {"scope": "CHANGED", "version": "3.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Odoo", "product": "Odoo Community", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "15.0"}], "defaultStatus": "unaffected"}, {"vendor": "Odoo", "product": "Odoo Enterprise", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "15.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/odoo/odoo/issues/107688"}, {"url": "https://www.debian.org/security/2023/dsa-5399"}], "descriptions": [{"lang": "en", "value": "A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to access and modify database contents of other tenants, in a multi-tenant system."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-267", "description": "Privilege Defined With Unsafe Actions"}]}], "providerMetadata": {"orgId": "22c90092-d340-4fb8-a06e-f1193e012523", "shortName": "odoo", "dateUpdated": "2024-07-15T00:27:54.327174Z"}}}, "cveMetadata": {"cveId": "CVE-2021-23186", "state": "PUBLISHED", "dateUpdated": "2024-08-03T19:05:53.896Z", "dateReserved": "2021-12-27T06:19:18.852Z", "assignerOrgId": "22c90092-d340-4fb8-a06e-f1193e012523", "datePublished": "2023-04-25T18:33:36.536Z", "assignerShortName": "odoo"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*", "matchCriteriaId": "C5B912BD-1FB4-418A-9CE3-FBE0903D70BA", "versionEndIncluding": "15.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "2BFAF5BD-20F9-402C-B7EB-4E0294A572AE", "versionEndIncluding": "15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to access and modify database contents of other tenants, in a multi-tenant system."}], "id": "CVE-2021-23186", "lastModified": "2024-11-21T05:51:20.653", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security@odoo.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-04-25T19:15:09.340", "references": [{"source": "security@odoo.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://github.com/odoo/odoo/issues/107688"}, {"source": "security@odoo.com", "url": "https://www.debian.org/security/2023/dsa-5399"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://github.com/odoo/odoo/issues/107688"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.debian.org/security/2023/dsa-5399"}], "sourceIdentifier": "security@odoo.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-267"}], "source": "security@odoo.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}