CVE-2024-12368: 
NixOS vulnerability analysis and mitigation

Improper access control vulnerability (CVE-2024-12368) was discovered in the auth_oauth module of Odoo Community 15.0 and Odoo Enterprise 15.0. The vulnerability was disclosed on January 15, 2025, and was identified by Rafael Fedler from MGB (Migros-Genossenschafts-Bund). The vulnerability affects both Community and Enterprise editions of Odoo version 15.0 (GitHub Issue).

The vulnerability exists in the auth_oauth module, which provides OAuth authentication functionality for Odoo installations. The flaw specifically relates to improper access controls that allow internal users with export feature access to extract OAuth tokens of other users who have recently logged in via an OAuth provider. The vulnerability has received a CVSS3 Score of 8.1 (High), with a vector of CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N (GitHub Issue).

The vulnerability enables session hijacking by malicious internal users, specifically targeting users authenticated via OAuth. The exploit is time-sensitive, limited to the OAuth token's validity period as determined by the OAuth provider. During this window, an attacker could potentially hijack the session of a more privileged user, leading to privilege escalation. Odoo S.A. has reported no known exploits of this vulnerability in the wild (GitHub Issue).

Several mitigation options are available: 1) Update to the latest version of Odoo Community 15.0 or Odoo Enterprise 15.0, 2) Remove export permissions for untrusted internal users by unchecking the 'Access to export feature' checkbox or removing users from the 'Technical/Access to export feature' group, 3) Uninstall the auth_oauth module if alternative login methods are available. Odoo Cloud servers (SaaS and SH) have been automatically patched (GitHub Issue).