CVE-2021-23176: 
NixOS vulnerability analysis and mitigation

CVE-2021-23176 is a security vulnerability affecting Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier versions. The vulnerability specifically impacts the reporting engine of the l10nfrfec module, which is used for accounting localization in France to generate the Fichier d'Échange Informatisé (FEC). The issue was discovered by Florent Mirieu de la barre and involves improper access control that could allow remote authenticated users to extract accounting information through crafted RPC packets (Odoo Issue).

The vulnerability is classified with a CVSS v3.0 Base Score of 6.5 (Medium) with the vector string CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue stems from improper access control in the report generation functionality of the l10nfrfec module, where the generation of reports was not properly protected. This allowed users without proper accounting access rights to access sensitive accounting data. The vulnerability is network exploitable and requires employee or portal user authentication (Odoo Issue, NVD).

The vulnerability allows malicious users, including those with portal user accounts, to craft specific RPC requests that could extract accounting data from the database. This represents a significant confidentiality breach as it exposes sensitive financial information to unauthorized users (Odoo Issue).

As a temporary workaround, the l10nfrfec module can be uninstalled on unpatched databases. The permanent solution involves updating to the latest revision or applying specific patches. Patches were released for versions 13.0 (0ef5489), 14.0 (f166400), and 15.0 (66f0a38). For Enterprise editions (15.0-ent, 14.0-ent, 13.0-ent), the corresponding Community edition patches should be applied (Odoo Issue, Debian Security).