affects OMERO4 versions 4.3.3 and earlier, and 4.4.3 and earlier
An LDAP authentication vulnerability has been found in OMERO.server.
When OMERO.server has LDAP authentication enabled and the LDAP server allows anonymous binds the use of an empty ("") password via the OMERO.server API permits logging in as any LDAP-based user.
OMERO.server between 4.3.0 and 4.3.3 inclusive, and all 4.4 servers prior to 4.4.3
A remote attacker could possibly login to accounts he/she is not permitted to access via the OMERO.server API. Logins via OMERO.insight or OMERO.web are not affected.
Disable LDAP authentication.
All OMERO.servers should be upgraded to at least 4.3.4.
Sebastien Besson for notifying the OME team of this security issue via the ome-devel mailing list.
© 2005-2024 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 4.0 International License
OME source code is available under the GNU General public license or more permissive open source licenses, or through commercial license from Glencoe Software Inc.
OME, Bio-Formats, OMERO, IDR and their associated logos are trademarks of Glencoe Software Inc., which holds these marks to protect them on behalf of the OME community.
[ Site Map ]
Version: 2024.04.18