CVE-2018-14868 : Security Advisory and Response

A vulnerability in the access control mechanism of the Password Encryption module in Odoo Community 9.0 and Odoo Enterprise 9.0 allows authorized users to modify other users' passwords without knowing their current passwords.

Understanding CVE-2018-14868

This CVE identifies a flaw in the access control mechanism of the Password Encryption module in Odoo Community and Odoo Enterprise versions 9.0.

What is CVE-2018-14868?

The vulnerability enables authenticated users to change the passwords of other users through a manipulated RPC call without requiring knowledge of the current passwords.

The Impact of CVE-2018-14868

The vulnerability could lead to unauthorized password changes, compromising user accounts and potentially exposing sensitive information.

Technical Details of CVE-2018-14868

The technical aspects of the CVE provide insight into the vulnerability's specifics.

Vulnerability Description

The flaw in the access control mechanism of the Password Encryption module allows authenticated users to alter other users' passwords via a crafted RPC call.

Affected Systems and Versions

Odoo Community 9.0
Odoo Enterprise 9.0

Exploitation Mechanism

The vulnerability can be exploited by authorized users through a manipulated RPC call to change passwords without the need for the current passwords.

Mitigation and Prevention

Protecting systems from CVE-2018-14868 requires immediate actions and long-term security practices.

Immediate Steps to Take

Monitor user password changes for any unauthorized modifications.
Implement strict access controls to limit user privileges.
Apply security patches and updates promptly.

Long-Term Security Practices

Conduct regular security audits to identify vulnerabilities.
Educate users on secure password practices and the importance of access control.

Patching and Updates

Install the latest patches provided by Odoo to address the access control vulnerability in the Password Encryption module.