{"api_version":"1","generated_at":"2026-04-23T02:16:19+00:00","cve":"CVE-2020-29396","urls":{"html":"https://cve.report/CVE-2020-29396","api":"https://cve.report/api/cve/CVE-2020-29396.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-29396","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-29396"},"summary":{"title":"CVE-2020-29396","description":"A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0, when running with Python 3.6 or later, allows remote authenticated users to execute arbitrary code, leading to privilege escalation.","state":"PUBLIC","assigner":"security@odoo.com","published_at":"2020-12-22 17:15:00","updated_at":"2023-02-02 22:21:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://github.com/odoo/odoo/issues/63712","name":"https://github.com/odoo/odoo/issues/63712","refsource":"MISC","tags":["Patch","Third Party Advisory"],"title":"[SEC] CVE-2020-29396 - Affects: Odoo 11.0 through 14.0 (Community a... · Issue #63712 · odoo/odoo · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","name":"N/A","refsource":"N/A","tags":[],"title":"Oracle Critical Patch Update Advisory - July 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-29396","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-29396","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"Toufik Ben Jaa","lang":""},{"source":"LEGACY","value":"Stéphane Debauche","lang":""},{"source":"LEGACY","value":"Benoît FONTAINE","lang":""}],"nvd_cpes":[{"cve_year":"2020","cve_id":"29396","vulnerable":"1","versionEndIncluding":"13.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"odoo","cpe5":"odoo","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"community","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"29396","vulnerable":"1","versionEndIncluding":"13.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"odoo","cpe5":"odoo","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"enterprise","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"29396","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"python","cpe5":"python","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"29396","vulnerable":"0","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"python","cpe5":"python","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-29396","qid":"900046","title":"CBL-Mariner Linux Security Update for python3 3.7.9"},{"cve":"CVE-2020-29396","qid":"902871","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for python3 (3706)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2020-29396","ASSIGNER":"security@odoo.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Odoo Community","version":{"version_data":[{"version_affected":">=","version_value":"11.0"}]}},{"product_name":"Odoo Enterprise","version":{"version_data":[{"version_affected":">=","version_value":"11.0"}]}},{"product_name":"Odoo Community","version":{"version_data":[{"version_affected":"<=","version_value":"13.0"}]}},{"product_name":"Odoo Enterprise","version":{"version_data":[{"version_affected":"<=","version_value":"13.0"}]}}]},"vendor_name":"Odoo"}]}},"credit":[{"lang":"eng","value":"Toufik Ben Jaa"},{"lang":"eng","value":"Stéphane Debauche"},{"lang":"eng","value":"Benoît FONTAINE"}],"description":{"description_data":[{"lang":"eng","value":"A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0, when running with Python 3.6 or later, allows remote authenticated users to execute arbitrary code, leading to privilege escalation."}]},"impact":{"cvss":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":9.9,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"CHANGED","userInteraction":"NONE","vectorString":" CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L","version":"3.0"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-267: Privilege Defined With Unsafe Actions"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://github.com/odoo/odoo/issues/63712","name":"https://github.com/odoo/odoo/issues/63712"},{"url":"https://www.oracle.com/security-alerts/cpujul2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpujul2022.html"}]},"source":{"advisory":"ODOO-SA-2020-12-02","discovery":"EXTERNAL"}},"nvd":{"publishedDate":"2020-12-22 17:15:00","lastModifiedDate":"2023-02-02 22:21:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.5},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:odoo:odoo:*:*:*:*:community:*:*:*","versionStartIncluding":"11.0","versionEndIncluding":"13.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:odoo:odoo:*:*:*:*:enterprise:*:*:*","versionStartIncluding":"11.0","versionEndIncluding":"13.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*","versionStartIncluding":"3.6.0","cpe_name":[]}]}],"cpe_match":[]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"29396","Ordinal":"192462","Title":"CVE-2020-29396","CVE":"CVE-2020-29396","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"29396","Ordinal":"1","NoteData":"A sandboxing issue in Odoo Community 11.0 through 13.0 and Odoo Enterprise 11.0 through 13.0, when running with Python 3.6 or later, allows remote authenticated users to execute arbitrary code, leading to privilege escalation.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"29396","Ordinal":"2","NoteData":"2020-12-22","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"29396","Ordinal":"3","NoteData":"2020-12-22","Type":"Other","Title":"Modified"}]}}}