affects OMERO versions 5.2.3 and earlier
The cleanse.py script which is used by the "bin/omero admin cleanse" command can lead to data loss.
If the cleanse.py script is run by an operating system user who has permission to delete from the filesystem used for OMERO's binary repository but who is logged into OMERO as a non-administrative user (not a member of the OMERO "system" group) then the cleanse operation will delete other users' images, attachments, and other files that the OMERO user does not have permission to access.
OMERO.server up to and including 5.2.3.
Potential for data loss.
Use the 2016-SV1-cleanse.patch to patch cleanse.py.
All OMERO.servers should be upgraded to at least 5.2.4.
Carnë Draug for notifying the OME team of this security issue.
© 2005-2024 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 4.0 International License
OME source code is available under the GNU General public license or more permissive open source licenses, or through commercial license from Glencoe Software Inc.
OME, Bio-Formats, OMERO, IDR and their associated logos are trademarks of Glencoe Software Inc., which holds these marks to protect them on behalf of the OME community.
[ Site Map ]
Version: 2024.04.18