CVE-2020-29396

DEB

High

A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0, when running with Python 3.6 or later, allows…

CVSS

8.8

High

EPSS

0.03

p86

Published

2020-01-01

Updated

2020-01-01

Description

A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0, when running with Python 3.6 or later, allows remote authenticated users to execute arbitrary code, leading to privilege escalation.

Tags · CWE

CWE-267

CAPEC-58

CAPEC-634

CAPEC-637

CAPEC-643

CAPEC-648

Affected products

OdooOdooOdooOdooOdooOdooOdooOdooOdooOdooOdooOdooOdoo

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

2020-01-01

Published

2020-01-01

Updated

CVSS 3.1 breakdown

Attack Vector

AV: N

Network (N)

Attack Complexity

AC: L

Low (L)

Privileges Required

PR: L

Low (L)

User Interaction

UI: N

None (N)

Scope

S: U

Unchanged (U)

Confidentiality Impact

C: H

High (H)

Integrity Impact

I: H

High (H)

Availability Impact

A: H

High (H)

Exploit indicators

EPSS

0.032 · p86

Known exploited (KEV)

MITRE ATT&CK

Inferred via CAPEC

T1113Screen Capture

└ via CAPEC-648 · CWE-267

T1115Clipboard Data

└ via CAPEC-637 · CWE-267

T1123Audio Capture

└ via CAPEC-634 · CWE-267

T1125Video Capture

└ via CAPEC-634 · CWE-267

T1135Network Share Discovery

└ via CAPEC-643 · CWE-267

T1513Screen Capture

└ via CAPEC-648 · CWE-267

Known exploits — Сканер-ВС

No Сканер-ВС checks registered for this vulnerability yet.

Affected products

Product	Vendor	Status
odoo		Tracked
odoo		Tracked
odoo		Tracked
odoo		Tracked
odoo		Tracked
odoo		Tracked
odoo		Tracked
odoo		Tracked
odoo		Tracked
odoo		Tracked
odoo		Tracked
odoo		Tracked
odoo	*	Tracked

Source databases

DEB

CVE

UBU