Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[16.0][FIX] users_ldap_groups JSON RPC vulnerability #659

Merged
merged 2 commits into from
Jun 6, 2024
Merged

[16.0][FIX] users_ldap_groups JSON RPC vulnerability #659

merged 2 commits into from
Jun 6, 2024

Conversation

oh2fih
Copy link
Contributor

@oh2fih oh2fih commented Jun 6, 2024

Fix #617

res.company.ldap.operator operators should be private methods; public methods allow arbitrary LDAP queries via JSON-API

@oh2fih
[16.0][FIX] users_ldap_groups: vulnerability
62d064f 
res.company.ldap.operator operators should be private methods;
public methods allow arbitrary LDAP queries via JSON-API
This was referenced Jun 6, 2024
Merged
Closed
@pedrobaeza
Copy link
Member

Please do a responsible disclosure of any vulnerability. You can't put JSON RPC vulnerability in big in the title to call those who want to exploit it.

@pedrobaeza pedrobaeza added this to the 16.0 milestone Jun 6, 2024
@oh2fih
Copy link
Contributor Author

oh2fih commented Jun 6, 2024

This information has been out there since Feb 23 as #617 and this fix available since Mar 30 as a part of #596, though...

@pedrobaeza
Copy link
Member

Yes, and that was also a non responsible disclosure. It's not your fault though, as there's no mechanism established for this at OCA (cc @vdewulf), as there's for Odoo: https://www.odoo.com/es_ES/security-report

@oh2fih
Copy link
Contributor Author

oh2fih commented Jun 6, 2024

I agree. Well, https://odoo-community.org/contactus does have security contact information, but the information is a few clicks away from the repository and, therefore, slightly hard to find. Now that I have it, I'll definitely approach the security team first in the future.

@sbidoul
Copy link
Member

sbidoul commented Jun 6, 2024
edited
Loading

I agree. Well, https://odoo-community.org/contactus does have security contact information, but the information is a few clicks away from the repository and, therefore, slightly hard to find. Now that I have it, I'll definitely approach the security team first in the future.

Good point, @oh2fih. I added a security policy on our GitHub organization. It is now visible on each repo.

hparfr
hparfr reviewed Jun 6, 2024
View reviewed changes
Copy link
Contributor

@hparfr hparfr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor remark

users_ldap_groups/models/res_company_ldap_operator.py Show resolved Hide resolved
@oh2fih oh2fih requested a review from hparfr June 6, 2024 14:09
@pedrobaeza
Copy link
Member

Let's merge it although the CI is red.

@pedrobaeza pedrobaeza merged commit 7f5ae4c into OCA:16.0 Jun 6, 2024
5 of 7 checks passed
This was referenced Jun 6, 2024
Merged
Merged
Merged
@sbidoul
Copy link
Member

sbidoul commented Jun 6, 2024

I opened backport prs for 15, 14, 13.

12 will require manual invervention.

@oh2fih oh2fih deleted the 16.0-jsonrpc-vuln branch June 6, 2024 15:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@etobella etobella etobella approved these changes

@hparfr hparfr hparfr approved these changes

Assignees
No one assigned
Labels
approved
Projects
None yet
Milestone
16.0
Development

Successfully merging this pull request may close these issues.

Vulnerability in users_ldap_groups allows arbitrary LDAP queries via JSON RPC API
6 participants
@oh2fih @pedrobaeza @sbidoul @hparfr @etobella @OCA-git-bot