CVE-2020-29396: 
Python vulnerability analysis and mitigation

A sandboxing issue was discovered in Odoo Community and Enterprise editions versions 11.0 through 13.0 when running with Python 3.6 or later. The vulnerability was assigned CVE-2020-29396 and was disclosed on December 22, 2020. The issue affects the core component of both Odoo Community and Enterprise editions, specifically impacting installations running on Python 3.6 or later versions (Odoo Issue).

The vulnerability stems from insufficient sanitization of the default sandbox environment when running on Python 3.6 or later versions. The sandbox is used for interpreting dynamic business logic components, including workflow definitions, automated actions, and dynamic expressions used within report templates. The vulnerability has received a CVSS v3.1 base score of 9.9 (Critical) with the vector string CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L (Odoo Issue).

Successful exploitation of this vulnerability could allow malicious users with internal user accounts to craft special code expressions targeted at escaping the sandbox protection. This could lead to arbitrary code execution with the privileges of the user running the Odoo service, enabling the execution of system commands with access to local files and services. The attacker could potentially access sensitive information such as passwords, which could be used to gain elevated privileges on the hosting machine (Odoo Issue).

No workarounds were available for this vulnerability, and applying the security patches was strongly recommended. The fixes were implemented in the following revisions: 11.0: 451cc81, 12.0: 2be4763, and 13.0: cd32b0c. Odoo Cloud servers were patched immediately upon correction availability. Users were advised to either apply the patches or upgrade to the latest revision via GitHub or by downloading the latest version from the official Odoo website (Odoo Issue).