CVE-2023-40954 – A SQL injection vulnerability in Grzegorz Marcz... (How to Fix)

Q: What is the severity of CVE-2023-40954?

CVE-2023-40954 has a CVSS score of 9.8 (CRITICAL). A SQL injection vulnerability in Grzegorz Marczynski Dynamic Progress Bar (web_progress) Odoo module allows remote attackers to execute arbitrary SQL commands via the recency parameter. This can lead to privilege escalation, data theft, or complete system compromise. Affects all users running vulnerable versions of this Odoo module.

📋 TL;DR

A SQL injection vulnerability in Grzegorz Marczynski Dynamic Progress Bar (web_progress) Odoo module allows remote attackers to execute arbitrary SQL commands via the recency parameter. This can lead to privilege escalation, data theft, or complete system compromise. Affects all users running vulnerable versions of this Odoo module.

💻 Affected Systems

Products:

Grzegorz Marczynski Dynamic Progress Bar (web_progress) Odoo module

Versions: v11.0 through v11.0.2, v12.0 through v12.0.2, v13.0 through v13.0.2, v14.0 through v14.0.2.1, v15.0 through v15.0.2, v16.0 through v16.0.2.1

Operating Systems: All platforms running Odoo with the vulnerable module

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the web_progress module to be installed and enabled in Odoo. The vulnerability exists in the models/web_progress.py component.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover via SQL injection leading to remote code execution, data exfiltration, and lateral movement within the Odoo environment.

🟠

Likely Case

Privilege escalation allowing attackers to gain administrative access to Odoo, modify data, and potentially access sensitive business information.

🟢

If Mitigated

Limited impact if proper input validation and parameterized queries are implemented, with database permissions restricted to minimum necessary privileges.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication, making internet-facing Odoo instances particularly vulnerable.

🏢 Internal Only: HIGH - Even internally accessible systems are vulnerable to authenticated or unauthenticated attacks depending on configuration.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available in the OdZoo repository. The vulnerability requires minimal technical skill to exploit due to the straightforward SQL injection vector.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after the commit 3c867f1cf7447449c81b1aa24ebb1f7ae757489f

Vendor Advisory: https://github.com/gmarczynski/odoo-web-progress/commit/3c867f1cf7447449c81b1aa24ebb1f7ae757489f

Restart Required: Yes

Instructions:

1. Update the web_progress module to the latest version from the official repository. 2. Restart the Odoo service. 3. Verify the fix by checking that the recency parameter is properly sanitized.

🔧 Temporary Workarounds

Disable web_progress module

all

Temporarily disable the vulnerable module until patching is possible

odoo-bin -d your_database --stop-after-init -i base --update web_progress

Web Application Firewall rule

all

Block requests containing SQL injection patterns targeting the recency parameter

🧯 If You Can't Patch

Implement strict input validation for the recency parameter in the web_progress module
Apply network segmentation to isolate Odoo instances and restrict database access

🔍 How to Verify

Check if Vulnerable:

Check if the web_progress module is installed and if the version falls within the vulnerable range. Examine the models/web_progress.py file for lack of parameterized queries on the recency parameter.

Check Version:

Check Odoo module version via Odoo interface: Settings → Apps → Find web_progress module

Verify Fix Applied:

Verify that the commit 3c867f1cf7447449c81b1aa24ebb1f7ae757489f is applied in your web_progress module. Test that SQL injection attempts on the recency parameter are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by successful admin access
Requests containing SQL injection patterns in recency parameter

Network Indicators:

Unusual outbound database connections from Odoo server
Traffic patterns matching known SQL injection payloads

SIEM Query:

source="odoo.log" AND ("recency" AND ("UNION" OR "SELECT" OR "INSERT" OR "DELETE" OR "--" OR "'"))

📊 Metadata

CVE ID: CVE-2023-40954

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: December 15, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/gmarczynski/odoo-web-progress/commit/3c867f1cf7447449c81b1aa24ebb1f7ae757489f Patch
https://github.com/luvsn/OdZoo/tree/main/exploits/web_progress Exploit,Third Party Advisory
https://github.com/gmarczynski/odoo-web-progress/commit/3c867f1cf7447449c81b1aa24ebb1f7ae757489f Patch
https://github.com/luvsn/OdZoo/tree/main/exploits/web_progress Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-40954, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Dynamic Progress Bar by Gmarczynski

Dynamic Progress Bar by Gmarczynski

Dynamic Progress Bar by Gmarczynski

Dynamic Progress Bar by Gmarczynski

Dynamic Progress Bar by Gmarczynski

Dynamic Progress Bar by Gmarczynski

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable web_progress module

Web Application Firewall rule

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities