CVE-2018-14868

Vulnerability

The Password Encryption module (auth_crypt) in Odoo Community 9.0 and Odoo Enterprise 9.0 suffers from improper access control [1][2]. Authenticated users (including portal users) can change the password of any other user without knowing that user's current password. This is achieved by crafting a malicious RPC call to the affected module. The vulnerability affects only Odoo version 9.0 (both Community and Enterprise editions) [1].

Exploitation

An attacker needs a valid user account (any role, including portal) and network access to the Odoo instance. No additional privileges or user interaction are required. The attacker crafts a specific RPC request targeting the auth_crypt module's password change functionality, bypassing the check that normally requires knowledge of the current password [1]. The exploit is remote and can be executed with low complexity [1].

Impact

Successful exploitation allows the attacker to force a chosen password onto any user account, including administrators [1]. This leads to a complete compromise of confidentiality and integrity — the attacker can log in as the victim, access their data, and perform actions with the victim's privileges. The attack does not directly affect availability [1]. CVSSv3 base score is 8.1 (High).

Mitigation

Odoo S.A. has released patches; users should apply the corresponding patch or update to the latest revision of the affected version from GitHub or the official download page [1]. There is no known workaround other than restricting remote access to trusted IPs, or uninstalling the auth_crypt module (which will lock out all users currently authenticated with hashed passwords). Odoo Online servers were patched as soon as the correction was available [1].