CVE-2017-10804
CRITICALOdoo 8.0, 9.0, 10.0 - Unauthenticated Authentication Bypass via Null Byte Truncation
Title source: llmDescription
In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, remote attackers can bypass authentication under certain circumstances because parameters containing 0x00 characters are truncated before reaching the database layer. This occurs because Psycopg 2.x before 2.6.3 is used.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/odoo/odoo/issues/17914
Release Notes x_refsource_confirm
http://initd.org/psycopg/docs/news.html#what-s-new-in-psycopg-2-6-3
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/psycopg/psycopg2/issues/420
Scores
CVSS v3
9.8
EPSS
0.0341
EPSS Percentile
87.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-306
Status
published
Products (3)
odoo/odoo
8.0
odoo/odoo
9.0 (2 CPE variants)
odoo/odoo
10.0 (2 CPE variants)
Published
Jul 04, 2017
Tracked Since
Feb 18, 2026