CVE-2021-45111: 
NixOS vulnerability analysis and mitigation

Improper access control vulnerability (CVE-2021-45111) affects Odoo Community 15.0 and earlier and Odoo Enterprise 15.0 and earlier. The vulnerability allows remote authenticated users to trigger the creation of demonstration data, including user accounts with known credentials. This vulnerability was discovered by Nils Hamerlinck (Trobz) and Yenthe Van Ginneken (Odoo Issue).

The vulnerability exists in the demonstration data feature of Odoo, which is designed to quickly demonstrate features by adding fake employees, products, and other demonstration data to an existing Odoo instance. The security flaw allows this feature to be triggered by any user instead of being restricted to administrators only. The vulnerability has been assigned a CVSS3 Score of 7.1 (High) with the vector CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N, indicating it is network exploitable and requires employee or portal user authentication (Odoo Issue).

A malicious low privilege user, including those with portal user accounts, can exploit this vulnerability to install demonstration data and potentially gain access to restricted data or features. When exploited, the vulnerability results in the creation of a new user account named 'demo' with known credentials, which could be used to access sensitive information (Odoo Issue).

No workaround is available for this vulnerability. Users are strongly recommended to update to the latest revision or apply the corresponding patch. The fixes are available in the following versions: 13.0 (patch 2df06fe), 14.0 (patch d326153), and 15.0 (patch d326153). Enterprise editions (15.0-ent, 14.0-ent, 13.0-ent) should refer to their corresponding community version patches. Odoo Cloud servers were patched immediately upon correction availability (Odoo Issue, Debian Advisory).