Giters

odoo / odoo

Odoo. Open Source Apps To Grow Your Business.

Home Page:https://www.odoo.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[17.0][SEC] CVSS 7.8 SBOM Dep. Reportlab 3.6.12 vulnerable to remote code execution

wilsonmar opened this issue · comments

commented

Run of osv-scanner on git clone of v17.0 at 6f6763b
Scanned odoo/requirements.txt file and found 53 packages
│ OSV URL │ CVSS │ ECOSYSTEM │ PACKAGE │ VERSION
https://osv.dev/GHSA-9q9m-c65c-37pq │ 7.8 │ PyPI │ reportlab │ 3.6.12
https://osv.dev/GHSA-9q9m-c65c-37pq │ 7.8 │ PyPI │ reportlab │ 3.6.8

https://osv.dev/GHSA-9q9m-c65c-37pq
Source GHSA-9q9m-c65c-37pq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-9q9m-c65c-37pq/GHSA-9q9m-c65c-37pq.json
Aliases CVE-2023-33733
Published 2023-06-05T18:30:27Z
Modified 2024-02-19T05:31:05.881022Z
Details
Reportlab up to and including v3.6.12 allows attackers to execute arbitrary code via supplying a crafted PDF file.

References
https://nvd.nist.gov/vuln/detail/CVE-2023-33733
https://github.com/c53elyas/CVE-2023-33733
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36WOY22ECJCPOXHVTNCHEWOQLL7JSWP4
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6ALE727IRACYBTTOFIFG57RS4OA2SHIJ

commented

Hello,

Thank you for your report but I will close it as invalid.
TL;DR : don’t rely on version number to determine if Odoo is vulnerable.

We can not update to the latest version of each library because they are incompatible and introduce breaking changes. We monitor the CVE of our dependencies and update accordingly when a vulnerability impacts Odoo.
We tend to follow the versions offered by the latest stable version of Debian an Ubuntu at the time of release. These distributions also monitor CVE and backport the patch when needed. If no other choice, we will also monkeypatch the library to avoid the vulnerability.
We do not use all the features of libraries like reportlab, it is used in various context and with different risk models. What is vulnerable for one can be not applicable for another.

If you believe a specific vulnerability is applicable to Odoo, please contact the security team with a proof of concept or additional details and we will investigate.

Best,