2021-SV2 URL validation on login

affects OMERO.web versions prior to 5.9.0

back to Advisories

Synopsis

OMERO webclient does not validate URL redirects on login or switching group.

Background

OMERO.web supports redirection to a given URL after performing login or switching the group context. These URLs are not validated, allowing redirection to untrusted sites. OMERO.web 5.9.0 adds URL validation before redirecting. External URLs are not considered valid, unless specified in the omero.web.redirect_allowed_hosts setting.

This vulnerability is identified as CVE-2021-21377 and GHSA-g4rf-pc26-6hmr.

Affected Packages

OMERO.web before 5.9.0.

Impact

High severity.

CVSS score 6.6 vector AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:H/MPR:L/MUI:R/MS:U/MC:H/MI:H/MA:H

Resolution

All OMERO.web should be upgraded to at least 5.9.0.

Thanks

Teng Zheng for notifying the OME team of this security issue via security@openmicroscopy.org.


back to top