CVE-2021-23186

2023-04-2519:15:09

CWE-267

odoo

web.nvd.nist.gov

cve-2021-23186

sandboxing issue

odoo community

odoo enterprise

multi-tenant system

database security

CVSS3

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

AI Score

8.3

Confidence

High

EPSS

0.001

Percentile

35.0%

JSON

A sandboxing issue in Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier allows authenticated administrators to access and modify database contents of other tenants, in a multi-tenant system.

Affected configurations

Nvd

Node

odooodooRange≤15.0community

odooodooRange≤15.0enterprise

VendorProductVersionCPE
odooodoo*cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*
odooodoo*cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*

Vendor	Product	Version	CPE
odoo	odoo	*	cpe:2.3:a:odoo:odoo:::::community:::*
odoo	odoo	*	cpe:2.3:a:odoo:odoo:::::enterprise:::*

CNA Affected

[
  {
    "vendor": "Odoo",
    "product": "Odoo Community",
    "defaultStatus": "unaffected",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "15.0",
        "versionType": "semver"
      }
    ]
  },
  {
    "vendor": "Odoo",
    "product": "Odoo Enterprise",
    "defaultStatus": "unaffected",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "15.0",
        "versionType": "semver"
      }
    ]
  }
]