affects OMERO.web versions 5.4.6 and earlier
If an error occurs during login to OMERO.web, the HTTP response returned to the user contains the user's password. This is included in automated e-mails to OMERO web admins and within the feedback sent to the OME QA system if the user chooses to submit the error. Each issue submitted to the OME QA system is accessible only to the OMERO team and the user who submitted it.
Django generates an error response if an unexpected error occurs. This includes data in the HTTP POST dictionary. The OMERO.web feedback tool allows users to submit any errors to the OME team's QA database. This may include the user's password. This behavior has existed in all versions of OMERO.web but errors within the login process were rarely seen until recent changes in OMERO 5.4.6 which causes an error if the OMERO.server is not running or is not compatible with the version of OMERO.web. This issue has been fixed for OMERO 5.4.7 in OMERO PR #5769. Furthermore, passwords are now removed from any errors generated by Django during login.
This vulnerability is identified as CVE-2018-1000633.
OMERO.web before 5.4.7.
Do not submit login errors to the OME team.
All OMERO.servers should be upgraded to at least 5.4.7.
© 2005-2024 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 4.0 International License
OME source code is available under the GNU General public license or more permissive open source licenses, or through commercial license from Glencoe Software Inc.
OME, Bio-Formats, OMERO, IDR and their associated logos are trademarks of Glencoe Software Inc., which holds these marks to protect them on behalf of the OME community.
[ Site Map ]
Version: 2024.04.18