CVE-2018-14863

Vulnerability

The vulnerability resides in the RPC framework of Odoo, specifically in the backwards-compatibility layer introduced with the new API in version 8.0. A programming error allows bypassing access controls, enabling authenticated users to call private functions that are not normally exposed via RPC. Affected versions include Odoo Community 8.0 through 11.0 and Odoo Enterprise 9.0 through 11.0 [1].

Exploitation

An attacker needs a valid user account (including portal users) and network access to the Odoo instance. The attack complexity is low. By crafting a specific RPC request, the attacker can invoke private methods that are not intended to be accessible through the RPC API. No additional user interaction is required beyond authentication [1].

Impact

Successful exploitation allows an attacker to retrieve or alter information stored in the database, impacting both confidentiality and integrity. There is no impact on availability. The CVSS v3 score is 8.1 (High) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N [1].

Mitigation

No workaround is known. Odoo S.A. has released patches for the affected versions. Users should apply the corresponding patch or update to the latest revision of their Odoo installation. Odoo Online servers have already been patched. Refer to the advisory for patch details and update instructions [1].