-
-
Notifications
You must be signed in to change notification settings - Fork 408
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability in users_ldap_groups allows arbitrary LDAP queries via JSON RPC API #617
Labels
Comments
This project seems to be maintained with inadequate resources. Could @gurneyalex as the OCA Representative of this project take a look at this vulnerability and the fix in #596. This has now been publicly available for three months. Thanks! |
Hello, I just approved and commented on your PR. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Module
users_ldap_groups
Describe the bug
Model
res.company.ldap.operator
operators should be private methods; public methods allow arbitrary LDAP queries via JSON RPC API.To Reproduce
Affected versions: all
Steps to reproduce the behavior:
Send
POST /web/dataset/call_kw/res.company.ldap.operator/query HTTP/1.1
, e.g., with data{"id":5,"jsonrpc":"1.0","method":"call","params":{"model":"res.company.ldap.operator","method":"query","args":["","",""],"kwargs":{}}}
Expected behavior
Methods should not be available via JSON RPC API but only from other Python classes.
Additional context
See https://www.odoo.com/documentation/17.0/developer/reference/backend/security.html#unsafe-public-methods
Attempted fix
A possible fix for this vulnerability is now in #659 (62d064f).
The text was updated successfully, but these errors were encountered: