CVE-2021-45111 – This vulnerability allows authenticated remote ... (How to Fix)

Q: What is the severity of CVE-2021-45111?

CVE-2021-45111 has a CVSS score of 8.1 (HIGH). This vulnerability allows authenticated remote users in Odoo to trigger the creation of demonstration data, including user accounts with known credentials. This affects Odoo Community and Enterprise versions 15.0 and earlier. Attackers can gain unauthorized access through these pre-configured accounts.

📋 TL;DR

This vulnerability allows authenticated remote users in Odoo to trigger the creation of demonstration data, including user accounts with known credentials. This affects Odoo Community and Enterprise versions 15.0 and earlier. Attackers can gain unauthorized access through these pre-configured accounts.

💻 Affected Systems

Products:

Odoo Community
Odoo Enterprise

Versions: 15.0 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations running vulnerable versions regardless of configuration.

📦 What is this software?

Odoo by Odoo

View all CVEs affecting Odoo →

Odoo by Odoo

View all CVEs affecting Odoo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers create administrative accounts with known credentials, leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Attackers create standard user accounts with known credentials to access sensitive business data and perform unauthorized operations.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to demonstration data creation that can be detected and cleaned up.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Odoo 15.0+ (post 15.0 release with fix)

Vendor Advisory: https://github.com/odoo/odoo/issues/107683

Restart Required: No

Instructions:

1. Upgrade to Odoo version 15.0+ with the security fix. 2. Apply the patch from the Odoo repository. 3. Verify the fix by checking version and testing the vulnerability.

🔧 Temporary Workarounds

Restrict User Permissions

all

Limit authenticated users' permissions to prevent them from triggering demonstration data creation.

Configure Odoo user roles to remove unnecessary privileges

Disable Demonstration Data Feature

all

Disable the demonstration data creation functionality if not required.

Modify Odoo configuration to disable demo data features

🧯 If You Can't Patch

Implement strict access controls and monitor for unauthorized user creation.
Regularly audit user accounts and remove any demonstration or unknown accounts.

🔍 How to Verify

Check if Vulnerable:

Check Odoo version; if 15.0 or earlier, it is vulnerable. Test authenticated access to demo data creation features.

Check Version:

Check Odoo web interface or configuration files for version number.

Verify Fix Applied:

After patching, attempt to trigger demonstration data creation as an authenticated user; it should fail.

📡 Detection & Monitoring

Log Indicators:

Log entries showing demonstration data creation
Unexpected user account creation events

Network Indicators:

HTTP requests to demo data endpoints from authenticated users

SIEM Query:

Search for Odoo logs with 'demo' or 'create' actions by non-admin users.

📊 Metadata

CVE ID: CVE-2021-45111

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-284

Published: April 25, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/odoo/odoo/issues/107683 Issue Tracking,Patch,Vendor Advisory
https://www.debian.org/security/2023/dsa-5399
https://github.com/odoo/odoo/issues/107683 Issue Tracking,Patch,Vendor Advisory
https://www.debian.org/security/2023/dsa-5399

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45111, you might also want to check these: