affects OMERO 5 versions 5.4.3 and earlier
A user can gain permissions to edit a previously unused official script by running that script then having an administrator give all that user's data to an accomplice. That script may then be edited to perform arbitrary operations with the permissions of users who subsequently run the script.
The implementation of Chgrp2, Chown2 and Delete2 assumed that jobs link to files that have the same owner and group as the job. This is not true of jobs related to OMERO scripts. The previous graph transition rules wrongly assumed that performing an operation on a job or its link meant that it was safe to implicitly include linked files in that operation.
OMERO.server from 5.1.0 to 5.4.3 inclusive.
All OMERO.servers should be upgraded to at least 5.4.4.
© 2005-2024 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 4.0 International License
OME source code is available under the GNU General public license or more permissive open source licenses, or through commercial license from Glencoe Software Inc.
OME, Bio-Formats, OMERO, IDR and their associated logos are trademarks of Glencoe Software Inc., which holds these marks to protect them on behalf of the OME community.
[ Site Map ]
Version: 2024.04.18