What is CVE-2020-29396?

CVE-2020-29396 is a critical-severity vulnerability in Odoo Community, classified under Privilege Defined With Unsafe Actions. CVSS score: 9.9/10. Published 2020-12-22.

How severe is CVE-2020-29396?

Critical severity. CVSS v3 base score is 9.9 out of 10.

Is CVE-2020-29396 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Privilege escalation in Odoo Community

CVE-2020-29396

A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0, when running with Python 3.6 or later, allows remote authenticated users to execute arbitrary code, leading to privilege escalation.

EPSS: 0.018 (83.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.9 (Critical). Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L.

Affected products

Odoo Community — versions 11.0, unspecified
Odoo Enterprise — versions 11.0, unspecified

Weakness classification (CWE)

CWE-267 — Privilege Defined With Unsafe Actions

Public proof-of-concept exploits

References

github.com/odoo/odoo/issues/63712 (x_refsource_MISC)
www.oracle.com/security-alerts/cpujul2022.html (x_refsource_MISC)

Frequently asked questions

What is CVE-2020-29396?: CVE-2020-29396 is a critical-severity vulnerability in Odoo Community, classified under Privilege Defined With Unsafe Actions. CVSS score: 9.9/10. Published 2020-12-22.
How severe is CVE-2020-29396?: Critical severity. CVSS v3 base score is 9.9 out of 10.
Is CVE-2020-29396 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.