CVE-2021-23203

Description

Improper access control in reporting engine of Odoo Community 14.0 through 15.0, and Odoo Enterprise 14.0 through 15.0, allows remote attackers to download PDF reports for arbitrary documents, via crafted requests.

How to fix CVE-2021-23203

To remediate CVE-2021-23203, upgrade the affected package to a fixed version below.

Bitnami/odoo—upgrade to 14.0.1 or later
Debian/odoo—upgrade to 14.0.0+dfsg.2-7+deb11u1 or later

Is CVE-2021-23203 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 14.0.0, < 14.0.1, >= 15.0.0, < 15.0.1
from 0, < 14.0.0+dfsg.2-7+deb11u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-23203
WEBgithub.com/odoo/odoo/issues/107695
WEBnvd.nist.gov/vuln/detail/CVE-2021-23203
WEBwww.debian.org/security/2023/dsa-5399