Vulnerabilities > CVE-2017-10803 - Deserialization of Untrusted Data vulnerability in Odoo 10.0/8.0/9.0

CVSS 8.5 - HIGH

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

SINGLE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

odoo

CWE-502

exploit available

NVD

Published: 2017-07-04

Updated: 2019-10-03

Summary

In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated privileged users to execute arbitrary Python code, because unpickle is used.

Vulnerable Configurations

Part	Description	Count
Application	Odoo Odoo Odoo 8.0 Odoo Odoo 9.0 Odoo Odoo 10.0	5

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

Exploit-Db

description	Odoo CRM 10.0 - Code Execution. CVE-2017-10803. Local exploit for Linux platform
id	EDB-ID:44064
last seen	2018-02-15
modified	2017-06-30
published	2017-06-30
reporter	Exploit-DB
source	https://www.exploit-db.com/download/44064/
title	Odoo CRM 10.0 - Code Execution

References

https://github.com/odoo/odoo/issues/17898