CVE-2017-10804

In Odoo 8.0, Odoo Community Edition 9.0 and 10.0, and Odoo Enterprise Edition 9.0 and 10.0, remote attackers can bypass authentication under certain circumstances because parameters containing 0x00 characters are truncated before reaching the database layer. This occurs because Psycopg 2.x before 2.6.3 is used.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 74%
VendorProductVersion
odooodoo
8.0
odooodoo
9.0
odooodoo
9.0
odooodoo
10.0
odooodoo
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
odoo
bullseye (security)
14.0.0+dfsg.2-7+deb11u2
fixed
bullseye
14.0.0+dfsg.2-7+deb11u2
fixed
sid
17.0.0+dfsg3-1
fixed
Common Weakness Enumeration
References
http://initd.org/psycopg/docs/news.html#what-s-new-in-psycopg-2-6-3
https://github.com/odoo/odoo/issues/17914
https://github.com/psycopg/psycopg2/issues/420
http://initd.org/psycopg/docs/news.html#what-s-new-in-psycopg-2-6-3
https://github.com/odoo/odoo/issues/17914
https://github.com/psycopg/psycopg2/issues/420