PT-2017-11515 · Psycopg+1 · Psycopg+1

Benkuhn

Published

2017-07-04

Updated

2017-07-12

CVE-2017-10804

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Odoo versions 8.0, 9.0, and 10.0 Odoo Community Edition versions 9.0 and 10.0 Odoo Enterprise Edition versions 9.0 and 10.0

Description The issue allows remote attackers to bypass authentication under certain circumstances. This happens because parameters containing 0x00 characters are truncated before reaching the database layer due to the use of Psycopg 2.x before 2.6.3.

Recommendations For Odoo versions 8.0, 9.0, and 10.0, consider updating Psycopg to version 2.6.3 or later to prevent parameter truncation. For Odoo Community Edition versions 9.0 and 10.0, update Psycopg to version 2.6.3 or later. For Odoo Enterprise Edition versions 9.0 and 10.0, update Psycopg to version 2.6.3 or later.

Exploit

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

CVE-2017-10804

Affected Products

Odoo

Psycopg

PT-2017-11515 · Psycopg+1 · Psycopg+1

CVE-2017-10804

Weakness Enumeration

Related Identifiers

Affected Products

References · 5