CVE-2024-36259
📋 TL;DR
This vulnerability allows authenticated remote attackers to extract sensitive information from Odoo's mail module through an oracle-based attack that reveals data via yes/no responses. It affects Odoo Community 17.0 and Odoo Enterprise 17.0 installations with default configurations. Attackers need valid user credentials to exploit this improper access control issue.
💻 Affected Systems
- Odoo Community
- Odoo Enterprise
📦 What is this software?
Odoo by Odoo
Odoo by Odoo
⚠️ Risk & Real-World Impact
Worst Case
Complete extraction of sensitive data from mail module including confidential business communications, attachments, and user information leading to data breach and regulatory violations.
Likely Case
Targeted extraction of specific sensitive information through repeated crafted queries, potentially exposing business-critical communications and attachments.
If Mitigated
Limited information leakage with proper access controls and monitoring, but still some data exposure possible through sophisticated attacks.
🎯 Exploit Status
Requires authenticated access and understanding of oracle-based attack techniques. Attack involves crafting specific requests to extract information bit by bit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Odoo 17.0 with security patch applied
Vendor Advisory: https://github.com/odoo/odoo/issues/199330
Restart Required: No
Instructions:
1. Update Odoo to latest 17.0 version with security patches. 2. Apply the specific patch from GitHub issue #199330. 3. Verify the fix by testing mail module access controls.
🔧 Temporary Workarounds
Restrict Mail Module Access
allLimit access to mail module to only essential users through Odoo's access control lists.
Navigate to Settings > Users & Companies > Users > Edit user > Access Rights
Implement Rate Limiting
allAdd rate limiting to API endpoints to prevent automated oracle attacks.
Configure web server (nginx/apache) rate limiting or use Odoo middleware
🧯 If You Can't Patch
- Implement strict access controls and principle of least privilege for all Odoo users
- Deploy WAF rules to detect and block oracle-based attack patterns
🔍 How to Verify
Check if Vulnerable:
Check if running Odoo 17.0 and test mail module for improper access controls using authenticated test accounts.Check Version:
python3 -c "import odoo; print(odoo.release.version)" or check Odoo web interface About pageVerify Fix Applied:
Test that authenticated users cannot extract information through crafted yes/no queries in mail module.📡 Detection & Monitoring
Log Indicators:
- Unusual pattern of mail module API calls from single user
- High volume of similar requests with slight parameter variations
Network Indicators:
- Repeated POST/GET requests to mail endpoints with incremental parameters
- Abnormal request patterns suggesting binary search behavior
SIEM Query:
source="odoo.log" AND ("mail." OR "/mail/") AND status=200 | stats count by user_id, endpoint | where count > threshold