CVE-2020-29396 Overview
CVE-2020-29396 is a sandboxing weakness affecting Odoo Community and Odoo Enterprise editions versions 11.0 through 13.0 when running on Python 3.6 or later. The flaw allows remote authenticated users to escape the application's restricted execution environment and run arbitrary code on the server. Successful exploitation results in privilege escalation within the Odoo application stack. The vulnerability is mapped to [CWE-267: Privilege Defined With Unsafe Actions].
Critical Impact
Authenticated attackers can break out of the Odoo sandbox to execute arbitrary Python code, leading to full compromise of the Odoo application context and potential lateral movement.
Affected Products
- Odoo Community 11.0 through 13.0
- Odoo Enterprise 11.0 through 13.0
- Python 3.6 or later runtime environments hosting affected Odoo versions
Discovery Timeline
- 2020-12-22 - CVE-2020-29396 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-29396
Vulnerability Analysis
Odoo provides a restricted Python evaluation environment used for server actions, computed fields, and automated rules. This sandbox limits which built-ins, attributes, and modules user-supplied expressions can access. CVE-2020-29396 stems from a sandbox restriction that is incomplete when Odoo runs under Python 3.6 or later. Changes to Python internals between supported interpreter versions expose attribute lookup paths the sandbox did not anticipate. Authenticated users with permission to define or trigger evaluated expressions can leverage these paths to reach unsanitized callables and import arbitrary modules.
Root Cause
The root cause is an unsafe action surface within the restricted evaluator [CWE-267]. The sandbox relies on filtering attribute and built-in access, but Python 3.6+ introduces accessible object graph traversals that bypass the filter. Once a user reaches an unrestricted callable, they can execute arbitrary Python in the Odoo worker process.
Attack Vector
Exploitation requires network access to the Odoo instance and a valid authenticated session with sufficient rights to submit evaluated expressions, such as creating server actions, automated actions, or computed field formulas. The attacker submits a crafted expression that traverses Python object internals to reach os, subprocess, or similar modules, then executes commands under the Odoo service account. Refer to the Odoo GitHub Issue #63712 and the Oracle Critical Patch Update July 2022 for vendor context.
No verified public proof-of-concept code is available for this CVE.
See the Odoo issue tracker referenced above for technical details.
Detection Methods for CVE-2020-29396
Indicators of Compromise
- Unexpected creation or modification of ir.actions.server, base.automation, or computed field definitions by non-administrative users.
- Odoo worker processes spawning child processes such as /bin/sh, python, or curl outside normal application behavior.
- Outbound network connections from the Odoo server to attacker-controlled hosts shortly after authenticated logins.
Detection Strategies
- Audit the Odoo ir.logging and database change logs for newly inserted server actions or automated rules containing suspicious attribute traversals like __class__, __subclasses__, or __globals__.
- Monitor process trees on Odoo hosts for the Odoo Python worker spawning shells or interpreters, which is abnormal for the application.
- Inspect HTTP request logs for repeated /web/dataset/call_kw or /longpolling calls that immediately precede privilege changes.
Monitoring Recommendations
- Forward Odoo application logs, PostgreSQL audit logs, and host process telemetry to a centralized analytics platform for correlation.
- Establish a baseline of which users legitimately author server actions and alert on deviations.
- Track EPSS scoring changes for this CVE over time to prioritize remediation against active exploitation trends.
How to Mitigate CVE-2020-29396
Immediate Actions Required
- Upgrade Odoo Community or Enterprise to a patched release beyond version 13.0, or apply the fixes referenced in Odoo GitHub Issue #63712.
- Restrict the ability to create or edit server actions, automated actions, and computed fields to a minimal set of trusted administrators.
- Review existing server actions and automated rules for unexpected Python expressions and remove any unauthorized entries.
Patch Information
Odoo addressed the sandbox bypass in maintenance updates tracked through Odoo GitHub Issue #63712. Oracle customers running affected Odoo-derived components should apply the fixes documented in the Oracle Critical Patch Update July 2022. Verify that the deployed Odoo build incorporates the updated safe_eval restrictions before returning the system to normal operation.
Workarounds
- Limit Access Rights and Record Rules so that only administrators hold the base.group_system privileges required to author evaluated expressions.
- Run the Odoo service under a dedicated low-privilege OS account with no write access outside its data directories to contain post-exploitation impact.
- Place the Odoo instance behind an authenticating reverse proxy and enforce IP allow-listing for administrative endpoints until patches are deployed.
# Configuration example: restrict Odoo service privileges and admin group membership
# 1. Run Odoo under a dedicated user with no shell
sudo useradd --system --no-create-home --shell /usr/sbin/nologin odoo
# 2. Tighten odoo.conf to disable database management and require strong admin password
# /etc/odoo/odoo.conf
list_db = False
admin_passwd = <strong-random-value>
proxy_mode = True
# 3. Audit users in the System Administrator group via psql
psql -U odoo -d <db> -c "SELECT u.login FROM res_users u \
JOIN res_groups_users_rel r ON r.uid = u.id \
JOIN res_groups g ON g.id = r.gid \
WHERE g.name = 'Settings';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
