CVE-2024-36259: 
NixOS vulnerability analysis and mitigation

CVE-2024-36259 is a security vulnerability affecting the mail module in Odoo Community 17.0 and Odoo Enterprise 17.0. The vulnerability was disclosed on February 25, 2025, and involves improper access control mechanisms that could potentially expose sensitive information. The issue specifically affects the mail module, which is a core component required by most Odoo applications (GitHub Issue).

The vulnerability stems from a programming error in the access control logic of the mail module, which allows the execution of crafted RPC search queries with elevated privileges. The flaw creates a yes/no oracle response mechanism that can be exploited to extract information. The vulnerability has been assigned a CVSS3 Score of 7.5 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network exploitability with no user interaction required (GitHub Issue).

The vulnerability allows remote authenticated attackers to extract sensitive information through oracle-based attacks using crafted queries. The attack can be executed by users with portal or regular user account access, potentially leading to unauthorized access to sensitive data through brute-force techniques (GitHub Issue).

A partial workaround involves disabling the 'Portal signup' option to prevent external users from signing up on the portal, thereby limiting attack exposure to current system users. However, the recommended solution is to update to the latest versions of Odoo Community 17.0 and Odoo Enterprise 17.0, which contain the security fixes. Odoo Cloud servers (SaaS and SH) have been automatically patched (GitHub Issue).