Odoo LFI (CVE-2019-14322)
Description
Odoo, a comprehensive business management software suite, is affected by a local file inclusion (LFI) vulnerability inherited from its dependency on Pallets Werkzeug. This vulnerability, identified as CVE-2019-14322, allows unauthenticated remote attackers to read arbitrary files from the server's filesystem by exploiting weaknesses in how Werkzeug handles file path requests.
Remediation
Immediately upgrade Odoo to a patched version that addresses CVE-2019-14322. For Odoo 12.0, upgrade to version 12.0+e or later. Additionally, ensure that the underlying Werkzeug library is updated to version 0.15.5 or higher. As a temporary mitigation measure until patching is complete, implement strict input validation and sanitization for all file path parameters, restrict web server permissions to prevent access to sensitive directories, and deploy web application firewall (WAF) rules to detect and block path traversal attempts. Verify the fix by testing that requests containing path traversal sequences (e.g., '../') are properly rejected.