2014-SV1 Unicode Passwords

affects OMERO4 versions 4.4.11 and earlier and OMERO5 versions 5.0.4 and earlier

back to Advisories


The incorrect encoding of passwords with LATIN-1 rather than UTF-8 caused a reduction in the entropy of passwords with Unicode characters.


Unicode characters in user passwords were being encoded with the LATIN-1 (ISO-8859-1) character set. These extended characters were converted to a subset of the ASCII character set, reducing the strength of the passwords.

Affected Packages

OMERO.server up to and including 4.4.11, and 5.0 servers prior to 5.0.5.


A remote attacker could possibly login to accounts he/she is not permitted to access. With a list of current users, the attacker could attempt to login as each user using a limited set of passwords. The primary concern are users with strictly Unicode passwords who are highly vulnerable.

Note: OMERO accounts which are backed by LDAP are not affected.




All OMERO.servers should be upgraded to at least 4.4.12 or preferably 5.0.5. System administrators should request that users who might have used extended characters reset their passwords after upgrading. There is no need to choose a new password.

back to top