Improper Access Control Vulnerability.
The OMERO.shares system bypasses intended security restrictions and grants elevated privileges to read otherwise-restricted data.
A user can retrieve data belonging to users across all groups by using the API. The user must be able to authenticate remotely using the standard 4063 and 4064 ports and have exploit code to make use of the vulnerability.
OMERO.server up to and including 5.2.4.
CVSS score 6.5 medium CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Any user is able to gain read-only access to resources that should not be accessible by creating a 'Share'.
- delete all shares
- disable the creation of shares
These scripts can be run against a running server with no downtime. If you are not actively using the shares functionality, this is a safe course of action. To see if your users have created any shares use:
psql omero -c "select count(*) from share"
Users who would like to save their existing shares for a later upgrade should do so before running the "delete-and-disable" script.
All OMERO.servers should be upgraded to at least 5.2.5. With this version, both existing and new shares do not exhibit the vulnerability. Shares now, however, only support images, as is common when creating shares from OMERO.web.