affects OMERO versions 5.3.3 and earlier
A user could create an OriginalFile and adjust its path such that it now points to another user's file on the underlying filesystem, then manipulate the user's data.
Security relies on the uniqueness constraint on (path, name, repo) on the originalfile table in the database. 2017-SV5 adjusts that constraint to be insensitive to certain variations in the use of "/" characters.
This vulnerability is identified as CVE-2017-1000438.
OMERO.server up to and including 5.3.3
For OMERO 5.2, apply the provided SQL script to prevent the update of originalfile path and name with certain variations in the use of "/" characters:
If the script fails, then it is possible that file manipulation has taken place. Please contact security@openmicroscopy.org for help.
As always when applying a database upgrade, please take a database backup beforehand.
All OMERO.servers should be upgraded to at least 5.3.4.
© 2005-2024 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 4.0 International License
OME source code is available under the GNU General public license or more permissive open source licenses, or through commercial license from Glencoe Software Inc.
OME, Bio-Formats, OMERO, IDR and their associated logos are trademarks of Glencoe Software Inc., which holds these marks to protect them on behalf of the OME community.
[ Site Map ]
Version: 2024.04.18