CVE-2017-10804

Exploit

EPSS 0.88%
Veröffentlicht 04.07.2017 18:29:00
Zuletzt bearbeitet 20.04.2025 01:37:25
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, remote attackers can bypass authentication under certain circumstances because parameters containing 0x00 characters are truncated before reaching the database layer. This occurs because Psycopg 2.x before 2.6.3 is used.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Odoo ≫ Odoo Version8.0

Odoo ≫ Odoo Version9.0 SwEditioncommunity

Odoo ≫ Odoo Version9.0 SwEditionenterprise

Odoo ≫ Odoo Version10.0 SwEditioncommunity

Odoo ≫ Odoo Version10.0 SwEditionenterprise

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.88%	0.743

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

http://initd.org/psycopg/docs/news.html#what-s-new-in-psycopg-2-6-3

Release Notes

https://github.com/odoo/odoo/issues/17914

Patch

Third Party Advisory

https://github.com/psycopg/psycopg2/issues/420

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2017-10804

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2017-10804

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2017-10804

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2017-10804