amh-mw
commented
1 month ago @AquaMCU Unfortunately, Odoo employees don't seem to monitor issues on this repository, so I might suggest raising this via https://www.odoo.com/security-report
Open AquaMCU opened 1 month ago
amh-mw
commented
1 month ago @AquaMCU Unfortunately, Odoo employees don't seem to monitor issues on this repository, so I might suggest raising this via https://www.odoo.com/security-report
Following the docker documentation, the official odoo docker image has two critical issues:
https://hub.docker.com/layers/library/odoo/latest/images/sha256-b0eb0d356b153989384f414f884134733fc00f413b5d04ca795bc9c35b11c237?context=repo&tab=vulnerabilities
CVE-2022-29361: Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. NOTE: the vendor's position is that this behavior can only occur in unsupported configurations involving development mode and an HTTP server from outside the Werkzeug project
CVE-2023-41419: An issue in Gevent before version 23.9.0 allows a remote attacker to escalate privileges via a crafted script to the WSGIServer component.
I think both can be fixed by updating the effected software within the docker container.