Personal tools
  • We're Hiring!

You are here: Home Products OMERO Security Vulnerabilities 2016-SV1 Cleanse

2016-SV1 Cleanse

Synopsis

The cleanse.py script which is used by the "bin/omero admin cleanse" command can lead to data loss.

Background

If the cleanse.py script is run by an operating system user who has permission to delete from the filesystem used for OMERO's binary repository but who is logged into OMERO as a non-administrative user (not a member of the OMERO "system" group) then the cleanse operation will delete other users' images, attachments, and other files that the OMERO user does not have permission to access.

Affected packages

OMERO.server up to and including 5.2.3.

Impact

Potential for data loss.

Workaround

Use the provided patch to patch cleanse.py:

Resolution

All OMERO.servers should be upgraded to at least 5.2.4.

Thanks

Carnë Draug for notifying the OME team of this security issue

Document Actions