CVE-2021-44460 : What You Need to Know

A vulnerability in Odoo Community and Odoo Enterprise versions before 13.0 could allow users with deactivated accounts to access the system.

Understanding CVE-2021-44460

What is CVE-2021-44460?

Odoo Community 13.0 and earlier, as well as Odoo Enterprise 13.0 and earlier, suffer from improper access control, enabling users with deactivated accounts to access the system and retain permissions through crafted requests.

The Impact of CVE-2021-44460

The vulnerability poses a high-severity risk with confidentiality, integrity, and availability impacts, potentially leading to unauthorized access and misuse of the system by deactivated account holders.

Technical Details of CVE-2021-44460

Vulnerability Description

The issue stems from improper access control mechanisms in the affected Odoo versions, allowing deactivated account users to utilize their accounts and permissions post-deactivation via manipulated Remote Procedure Call (RPC) requests.

Affected Systems and Versions

Vendor: Odoo
Affected Products: Odoo Community, Odoo Enterprise
Versions: Before 13.0

Exploitation Mechanism

Attackers can exploit this vulnerability by sending specially crafted RPC requests to the system, manipulating the access control mechanism and granting unauthorized access to deactivated account holders.

Mitigation and Prevention

Immediate Steps to Take

Verify and update Odoo Community and Odoo Enterprise installations to version 13.0 or later to patch the vulnerability.
Monitor user accounts closely for any unauthorized access or unusual activity.

Long-Term Security Practices

Implement strict access control policies and regularly review user permissions to prevent unauthorized access.
Conduct security awareness training to educate users on safe practices and the importance of maintaining secure account access.

Patching and Updates

Regularly apply security patches and updates released by Odoo to address known vulnerabilities and enhance the overall security posture of the system.