docker icon indicating copy to clipboard operation
docker copied to clipboard
verified publisher icon odoo

Two critical Security Issues

Open AquaMCU opened this issue 1 year ago • 4 comments

Following the docker documentation, the official odoo docker image has two critical issues:

https://hub.docker.com/layers/library/odoo/latest/images/sha256-b0eb0d356b153989384f414f884134733fc00f413b5d04ca795bc9c35b11c237?context=repo&tab=vulnerabilities

CVE-2022-29361: Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. NOTE: the vendor's position is that this behavior can only occur in unsupported configurations involving development mode and an HTTP server from outside the Werkzeug project

CVE-2023-41419: An issue in Gevent before version 23.9.0 allows a remote attacker to escalate privileges via a crafted script to the WSGIServer component.

I think both can be fixed by updating the effected software within the docker container.

AquaMCU avatar May 09 '24 23:05 AquaMCU

@AquaMCU Unfortunately, Odoo employees don't seem to monitor issues on this repository, so I might suggest raising this via https://www.odoo.com/security-report

amh-mw avatar May 10 '24 12:05 amh-mw

@d-fence is there any plan to fix vulnerabilities? Or how you manage it?

When I take a look at Docker Hub it is super red :( https://hub.docker.com/_/odoo/tags

Thank you

image

bedla avatar Oct 01 '24 14:10 bedla