CVE-2018-15632
📋 TL;DR
This vulnerability allows remote attackers to create empty databases in Odoo Community and Enterprise versions 11.0 and earlier. Attackers can then connect using default credentials, potentially gaining administrative access. All Odoo installations running vulnerable versions are affected.
💻 Affected Systems
- Odoo Community
- Odoo Enterprise
📦 What is this software?
Odoo by Odoo
Odoo by Odoo
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attackers gain administrative access, steal sensitive business data, install malware, or use the system as a foothold for lateral movement.
Likely Case
Unauthorized database creation leading to data manipulation, privilege escalation, or disruption of business operations.
If Mitigated
Limited impact with proper network segmentation, strong authentication, and monitoring preventing successful exploitation.
🎯 Exploit Status
The vulnerability is straightforward to exploit with publicly available information. Attackers can use simple HTTP requests to trigger the database creation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Odoo 11.0+ with security patches applied
Vendor Advisory: https://github.com/odoo/odoo/issues/63700
Restart Required: Yes
Instructions:
1. Upgrade to Odoo 12.0 or later. 2. If staying on Odoo 11.0, apply the security patch from the Odoo repository. 3. Restart the Odoo service after patching.
🔧 Temporary Workarounds
Disable Database Manager
allPrevents unauthorized database creation by disabling the database management interface
Edit Odoo configuration file and set 'list_db = False'
Restart Odoo service
Network Access Control
allRestrict access to Odoo database creation endpoints
Configure firewall rules to block access to /web/database/manager and related endpoints
Use reverse proxy with access controls
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Odoo instances from untrusted networks
- Enable detailed logging and monitoring for database creation activities and unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check Odoo version via web interface or configuration files. Versions 11.0 and earlier are vulnerable.Check Version:
Check Odoo configuration file or run: python3 -c "import odoo; print(odoo.release.version)"Verify Fix Applied:
Verify Odoo version is 12.0 or later, or confirm security patches from 2018 are applied. Test that unauthorized database creation is no longer possible.📡 Detection & Monitoring
Log Indicators:
- Unusual database creation events
- Failed authentication attempts with default credentials
- Access to /web/database/manager from unauthorized sources
Network Indicators:
- HTTP POST requests to database creation endpoints from unexpected IP addresses
- Traffic patterns indicating database initialization
SIEM Query:
source="odoo.log" AND ("database creation" OR "/web/database/manager")