CVE-2021-44547: 
NixOS vulnerability analysis and mitigation

A sandboxing issue was discovered in Odoo Community 15.0 and Odoo Enterprise 15.0 that allows authenticated administrators to execute arbitrary code, leading to privilege escalation. The vulnerability was assigned CVE-2021-44547 and was disclosed on December 10, 2022. The affected systems include both Community and Enterprise editions of Odoo version 15.0 (Odoo Issue).

The vulnerability exists in the QWeb templating language rendering engine of Odoo's core framework. A programming error made sensitive interfaces available to the template code. The vulnerability has received a CVSS v3.1 base score of 9.1 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating network exploitability with low attack complexity, though requiring high privileges (NVD).

An attacker with administrator or high privileges on a database can upload a crafted QWeb template to execute arbitrary Python code, leading to privilege escalation on the hosting server. This could allow access to any local files available to the system user executing the Odoo service, as well as the ability to modify files and execute processes. The vulnerability is particularly concerning for multi-tenant systems where administrators may not be trusted (Odoo Issue).

No workaround is available for this vulnerability. The recommended solution is to update to the latest revision or apply the corresponding patch. For version 15.0, the fix is identified by commit 96b09b1. Odoo Cloud servers were patched immediately upon correction availability (Odoo Issue).