CVE-2020-29396

2020-12-2216:25:39

CWE-267

odoo

www.cve.org

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

8.8 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

75.8%

JSON

A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0, when running with Python 3.6 or later, allows remote authenticated users to execute arbitrary code, leading to privilege escalation.

CNA Affected

[
  {
    "product": "Odoo Community",
    "vendor": "Odoo",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "11.0",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Odoo Enterprise",
    "vendor": "Odoo",
    "versions": [
      {
        "lessThan": "unspecified",
        "status": "affected",
        "version": "11.0",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Odoo Community",
    "vendor": "Odoo",
    "versions": [
      {
        "lessThanOrEqual": "13.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Odoo Enterprise",
    "vendor": "Odoo",
    "versions": [
      {
        "lessThanOrEqual": "13.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]