Community mailing list archives

Odoo Security Advisory - 2016-01-base-sql-injection

Olivier Dony (odo)
- 02/24/2016 06:28:29
Odoo Security Advisory                   2016-01-base-sql-injection

Title: SQL injection vulnerability in Odoo framework

Affects: All Odoo versions
Component: Odoo Framework
Credits: Colin Newell


I.   Background

Odoo includes an Object-Relational Mapping (ORM) subsystem,
which exposes a high-level abstraction of the underlying
database backend to the rest of the Odoo components.

In some cases, for performance reasons or for very specific data
access patterns, business logic components must directly use the
lower-level database access layer without going through the regular
ORM layer.

II.  Problem Description

The Odoo framework contained a deprecated function directly using
the low-level database access layer without properly sanitizing
user-provided parameters.

III. Impact

Access Vector: Network exploitable
Access Complexity: Low
Authentication: User account required

Malicious Odoo users with at least read-only access to vulnerable
installations could craft specific RPC packets causing the injection of
arbitrary SQL commands inside database queries.

Such arbitrary SQL commands could allow the attacker to read or
alter the database content in any manner, usually without leaving
any trace. This could include very sensitive business data or
credentials from other users.

Exploiting this vulnerability requires remote network access and
the credentials of a valid Odoo user on a database hosted on a
vulnerable Odoo installation.

Odoo S.A. is not aware of any malicious use of this vulnerability.

IV.  Workaround

No workaround is available, please follow the steps described in
the next section.

Odoo Online servers have been patched as soon as the correction was

V.   Solution

Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the
latest version from

To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:

       patch -p0 -f