Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Two critical Security Issues #503

Open
AquaMCU opened this issue May 9, 2024 · 1 comment
Open

Two critical Security Issues #503

AquaMCU opened this issue May 9, 2024 · 1 comment

Comments

@AquaMCU
Copy link

AquaMCU commented May 9, 2024

Following the docker documentation, the official odoo docker image has two critical issues:

https://hub.docker.com/layers/library/odoo/latest/images/sha256-b0eb0d356b153989384f414f884134733fc00f413b5d04ca795bc9c35b11c237?context=repo&tab=vulnerabilities

CVE-2022-29361: Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. NOTE: the vendor's position is that this behavior can only occur in unsupported configurations involving development mode and an HTTP server from outside the Werkzeug project

CVE-2023-41419: An issue in Gevent before version 23.9.0 allows a remote attacker to escalate privileges via a crafted script to the WSGIServer component.

I think both can be fixed by updating the effected software within the docker container.
@amh-mw
Copy link

amh-mw commented May 10, 2024

@AquaMCU Unfortunately, Odoo employees don't seem to monitor issues on this repository, so I might suggest raising this via https://www.odoo.com/security-report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@amh-mw @AquaMCU