CVE-2021-44460: 
NixOS vulnerability analysis and mitigation

Improper access control vulnerability (CVE-2021-44460) was discovered in Odoo Community 13.0 and earlier and Odoo Enterprise 13.0 and earlier. The vulnerability allows users with deactivated accounts to continue accessing the system with their previous permissions through crafted RPC requests. This vulnerability was disclosed on December 10, 2022 (GitHub Issue).

The vulnerability exists in the core component of Odoo where deactivated users could still interact with the database through the API even though they were no longer able to login through the login form. The CVSS v3.1 base score is 6.5 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) according to NVD assessment, while Odoo rated it as 7.4 HIGH (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) (NVD).

The vulnerability could allow former employees or portal users to abuse their past privileges to gain access to recent information in the system. The attack vector is network exploitable and requires a deactivated user account. The impact primarily affects confidentiality and integrity of the system, with no direct impact on availability (GitHub Issue).

As a workaround, administrators can change the password of deactivated users to ensure they can no longer craft RPC requests. The permanent solution is to update to the latest revision or apply the corresponding patch. For version 13.0, the fix is implemented in commit 8024a6e. Odoo Cloud servers were patched immediately when the correction became available (GitHub Issue).