Vulnerabilities > CVE-2017-10803 - Deserialization of Untrusted Data vulnerability in Odoo 10.0/8.0/9.0

CVSS 6.5 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

HIGH

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

odoo

CWE-502

exploit available

NVD

Published: 2017-07-04

Updated: 2019-10-03

Summary

In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, insecure handling of anonymization data in the Database Anonymization module allows remote authenticated privileged users to execute arbitrary Python code, because unpickle is used.

Vulnerable Configurations

Part	Description	Count
Application	Odoo Odoo Odoo 9.0 Odoo Odoo 10.0 Odoo Odoo 8.0	5

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

Exploit-Db

description	Odoo CRM 10.0 - Code Execution. CVE-2017-10803. Local exploit for Linux platform
id	EDB-ID:44064
last seen	2018-02-15
modified	2017-06-30
published	2017-06-30
reporter	Exploit-DB
source	https://www.exploit-db.com/download/44064/
title	Odoo CRM 10.0 - Code Execution

References

https://github.com/odoo/odoo/issues/17898