Search...

CVE-2018-6620

2018-02-05T04:29:00

ID CVE-2018-6620
Type cve
Reporter cve@mitre.org
Modified 2018-07-11T01:29:00

Description

REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

JSON Vulners Source

Initial Source

{"id": "CVE-2018-6620", "bulletinFamily": "NVD", "title": "CVE-2018-6620", "description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.", "published": "2018-02-05T04:29:00", "modified": "2018-07-11T01:29:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-6620", "reporter": "cve@mitre.org", "references": [], "cvelist": ["CVE-2018-6620"], "type": "cve", "lastseen": "2019-05-29T18:20:28", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cpe23", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvelist", "hash": "62a10a155ecde1e8831963c9f429d4d5"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "cvss2", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss3", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cwe", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "description", "hash": "fe43f53992d5371428de360754fd53a0"}, {"key": "href", "hash": "f894c60a31c74cc3ccfd2ad8aa1f5376"}, {"key": "modified", "hash": "a102168c9a6a6d5f65bc61c493245174"}, {"key": "published", "hash": "49caa44da042fce9e9ec133c5829953c"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "6e224e12a532a7dc2cd76c0e6329a3d4"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "06900aa40f4d1e0288a27cef59a1ee77b58babc7e3c0dbddbade6ac9ca1ac3fd", "viewCount": 2, "enchantments": {"score": {"value": 0.6, "vector": "NONE", "modified": "2019-05-29T18:20:28"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310812757"]}], "modified": "2019-05-29T18:20:28"}, "vulnersScore": 0.6}, "objectVersion": "1.3", "cpe": [], "affectedSoftware": [], "cvss2": {}, "cvss3": {}, "cpe23": [], "cwe": []}

{"openvas": [{"lastseen": "2019-01-18T16:10:43", "bulletinFamily": "scanner", "description": "This VT has been deprecated since CVE-2018-6620 has been rejected.\n\n The host is running Odoo software and is\n prone to an authentication bypass vulnerability.", "modified": "2019-01-18T00:00:00", "published": "2018-02-08T00:00:00", "id": "OPENVAS:1361412562310812757", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812757", "title": "Odoo 'Backup Database Action' Authentication Bypass Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_odoo_backup_db_action_auth_bypass_vuln.nasl 13133 2019-01-18 04:50:16Z ckuersteiner $\n#\n# Odoo 'Backup Database Action' Authentication Bypass Vulnerability\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:odoo:odoo\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812757\");\n script_version(\"$Revision: 13133 $\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-01-18 05:50:16 +0100 (Fri, 18 Jan 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-02-08 13:00:22 +0530 (Thu, 08 Feb 2018)\");\n\n script_name(\"Odoo 'Backup Database Action' Authentication Bypass Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This VT has been deprecated since CVE-2018-6620 has been rejected.\n\n The host is running Odoo software and is\n prone to an authentication bypass vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send the crafted HTTP GET request\n and check whether it is able to backup websites databases directly with\n no authorized accounts.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists as Odoo does not require\n authentication to be configured for a 'Backup Database' action.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a remote\n attacker to backup websites databases directly with no authenticated accounts.\");\n\n script_tag(name:\"affected\", value:\"Odoo Management Software.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n script_xref(name:\"URL\", value:\"http://asdedc.bid/odoo.html\");\n script_xref(name:\"URL\", value:\"https://www.odoo.com\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_odoo_remote_detect.nasl\");\n script_mandatory_keys(\"Odoo/Detected\");\n script_require_ports(\"Services/www\", 80);\n\n script_tag(name:\"deprecated\", value:TRUE);\n\n exit(0);\n}\n\nexit(66);\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nif (!odPort = get_app_port(cpe:CPE))\n exit(0);\n\nif (!dir = get_app_location(cpe:CPE, port:odPort))\n exit(0);\n\nif( dir == \"/\" ) dir = \"\";\n\nurl = dir + '/web/database/manager#action=database_manager';\n\nif (http_vuln_check(port:odPort, url:url , pattern: '<title>Odoo</title>',\n extra_check:make_list('Create Database', 'Set Master Password', '>Backup Database<', '>Restore Database<'),\n check_header: TRUE)) {\n report = report_vuln_url(port:odPort, url:url);\n security_message(port:odPort, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 0.0, "vector": "NONE"}}]}