{"id": "CVE-2018-6620", "bulletinFamily": "NVD", "title": "CVE-2018-6620", "description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", "published": "2018-02-04T23:29:00", "modified": "2018-07-10T21:29:05", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6620", "reporter": "NVD", "references": [], "cvelist": ["CVE-2018-6620"], "type": "cve", "lastseen": "2018-07-11T10:55:11", "history": [{"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": [], "cvelist": ["CVE-2018-6620"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Odoo does not require authentication to be configured for a Backup Database action.", "edition": 1, "enchantments": {"score": {"modified": "2018-02-05T15:17:00", "value": 4.0}}, "hash": "402bac55c72b6eb0aa2e405cdc2906779168bc968e7ecc1f802899b3fd14c988", "hashmap": [{"hash": "6e224e12a532a7dc2cd76c0e6329a3d4", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "62a10a155ecde1e8831963c9f429d4d5", "key": "cvelist"}, {"hash": "2b559967225d70dc48ca6b5616f5d60b", "key": "description"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "296638b04749b0536e8b6baaf5d208cc", "key": "references"}, {"hash": "f894c60a31c74cc3ccfd2ad8aa1f5376", "key": "href"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "4209eb1176a56072f9154e5f74bd7142", "key": "modified"}, {"hash": "4209eb1176a56072f9154e5f74bd7142", "key": "published"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6620", "id": "CVE-2018-6620", "lastseen": "2018-02-05T15:17:00", "modified": "2018-02-04T23:29:00", "objectVersion": "1.3", "published": "2018-02-04T23:29:00", "references": ["http://asdedc.bid/odoo.html"], "reporter": "NVD", "scanner": [], "title": "CVE-2018-6620", "type": "cve", "viewCount": 0}, "differentElements": ["cvss", "modified", "cpe"], "edition": 1, "lastseen": "2018-02-05T15:17:00"}, {"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:odoo:odoo:-"], "cvelist": ["CVE-2018-6620"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "Odoo does not require authentication to be configured for a Backup Database action.", "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "db3a9b5dadabb3cfe755460ec2690b55e05802b47929e319d75f95d952dc7c08", "hashmap": [{"hash": "6e224e12a532a7dc2cd76c0e6329a3d4", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "62a10a155ecde1e8831963c9f429d4d5", "key": "cvelist"}, {"hash": "2b559967225d70dc48ca6b5616f5d60b", "key": "description"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "26769fd423968d45be7383413e2552f1", "key": "cvss"}, {"hash": "296638b04749b0536e8b6baaf5d208cc", "key": "references"}, {"hash": "f894c60a31c74cc3ccfd2ad8aa1f5376", "key": "href"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "6e7282a785735fde9b46e2b0f4c0ed96", "key": "modified"}, {"hash": "20b6a767b5c883fb1d3ac7097d0157da", "key": "cpe"}, {"hash": "4209eb1176a56072f9154e5f74bd7142", "key": "published"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6620", "id": "CVE-2018-6620", "lastseen": "2018-02-28T11:58:23", "modified": "2018-02-27T11:13:07", "objectVersion": "1.3", "published": "2018-02-04T23:29:00", "references": ["http://asdedc.bid/odoo.html"], "reporter": "NVD", "scanner": [], "title": "CVE-2018-6620", "type": "cve", "viewCount": 4}, "differentElements": ["cvss", "references", "description", "modified", "cpe"], "edition": 2, "lastseen": "2018-02-28T11:58:23"}], "edition": 3, "hashmap": [{"key": "assessment", "hash": "6d3f4796275bb54c21a33b82f399cc6d"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvelist", "hash": "62a10a155ecde1e8831963c9f429d4d5"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "fe43f53992d5371428de360754fd53a0"}, {"key": "href", "hash": "f894c60a31c74cc3ccfd2ad8aa1f5376"}, {"key": "modified", "hash": "76d2ad1ddc274815d54c9a846671d8df"}, {"key": "published", "hash": "4209eb1176a56072f9154e5f74bd7142"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "6e224e12a532a7dc2cd76c0e6329a3d4"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "3bdd9186fe8e5b92e9d81a8c04b1dcad5d4c1fedae673f8f77e8ecb8788b97d6", "viewCount": 10, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "cpe": [], "assessment": {"href": "", "name": "", "system": ""}, "scanner": []}

{"openvas": [{"lastseen": "2018-10-29T12:35:05", "references": ["http://asdedc.bid/odoo.html", "https://www.odoo.com"], "pluginID": "1361412562310812757", "description": "The host is running Odoo software and is\n prone to an authentication bypass vulnerability.", "edition": 8, "reporter": "Copyright (C) 2018 Greenbone Networks GmbH", "published": "2018-02-08T00:00:00", "title": "Odoo 'Backup Database Action' Authentication Bypass Vulnerability", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-6620"], "modified": "2018-10-26T00:00:00", "id": "OPENVAS:1361412562310812757", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812757", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_odoo_backup_db_action_auth_bypass_vuln.nasl 12120 2018-10-26 11:13:20Z mmartin $\n#\n# Odoo 'Backup Database Action' Authentication Bypass Vulnerability\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:odoo:odoo\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812757\");\n script_version(\"$Revision: 12120 $\");\n script_cve_id(\"CVE-2018-6620\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 13:13:20 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-02-08 13:00:22 +0530 (Thu, 08 Feb 2018)\");\n script_name(\"Odoo 'Backup Database Action' Authentication Bypass Vulnerability\");\n\n script_tag(name:\"summary\", value:\"The host is running Odoo software and is\n prone to an authentication bypass vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send the crafted HTTP GET request\n and check whether it is able to backup websites databases directly with\n no authorized accounts.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists as Odoo does not require\n authentication to be configured for a 'Backup Database' action.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a remote\n attacker to backup websites databases directly with no authenticated accounts.\");\n\n script_tag(name:\"affected\", value:\"Odoo Management Software.\");\n\n script_tag(name:\"solution\", value:\"No known solution is available as of 12th September, 2018. Information\n regarding this issue will be updated once solution details are available.\");\n\n script_tag(name:\"solution_type\", value:\"NoneAvailable\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n script_xref(name:\"URL\", value:\"http://asdedc.bid/odoo.html\");\n script_xref(name:\"URL\", value:\"https://www.odoo.com\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_odoo_remote_detect.nasl\");\n script_mandatory_keys(\"Odoo/Detected\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nif (!odPort = get_app_port(cpe:CPE))\n exit(0);\n\nif (!dir = get_app_location(cpe:CPE, port:odPort))\n exit(0);\n\nif( dir == \"/\" ) dir = \"\";\n\nurl = dir + '/web/database/manager#action=database_manager';\n\nif (http_vuln_check(port:odPort, url:url , pattern: '<title>Odoo</title>',\n extra_check:make_list('Create Database', 'Set Master Password', '>Backup Database<', '>Restore Database<'),\n check_header: TRUE)) {\n report = report_vuln_url(port:odPort, url:url);\n security_message(port:odPort, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 0.0, "vector": "NONE"}}]}