GoogleOSV:GHSA-GFP2-W5JM-955QOMERO.web exposes some unnecessary session information in the page
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
38.9%
Background
OMERO.web loads various information about the current user such as their id, name and the groups they are in, and these are available on the main webclient pages. Some additional information being loaded is not used by the webclient and is being removed in this release.
Impact
OMERO.web before 5.9.0
Patches
5.9.0
Workarounds
No workaround
References
For more information
If you have any questions or comments about this advisory:
References
github.com/ome/omero-web/blob/master/CHANGELOG.md#590-march-2021
github.com/ome/omero-web/commit/952f8e5d28532fbb14fb665982211329d137908c
github.com/ome/omero-web/security/advisories/GHSA-gfp2-w5jm-955q
nvd.nist.gov/vuln/detail/CVE-2021-21376
pypi.org/project/omero-web
www.openmicroscopy.org/security/advisories/2021-SV1
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
38.9%