affects OMERO 5 versions 5.4.6 and earlier
Restricted administrators who are permitted to modify users can change the password of administrators more powerful than themselves then log in using that new password to gain elevated privileges.
Without the ModifyUser
restriction an administrator may,
Change another administrator's e-mail address to their own.
Reset that administrator's password.
Read the new password from the e-mail sent by OMERO.server.
Log in as that other administrator.
or,
Change another administrator's password to a given value.
Log in as that other administrator.
This vulnerability is identified as CVE-2018-1000634.
OMERO.server from 5.4.0 to 5.4.6 inclusive.
Do not give restricted administrators such as Group and Data Organizer the ability to Create and Edit Users.
This corresponds to the ModifyUser
restriction as viewed from OMERO.cli.
All OMERO.servers should be upgraded to at least 5.4.7.
© 2005-2024 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 4.0 International License
OME source code is available under the GNU General public license or more permissive open source licenses, or through commercial license from Glencoe Software Inc.
OME, Bio-Formats, OMERO, IDR and their associated logos are trademarks of Glencoe Software Inc., which holds these marks to protect them on behalf of the OME community.
[ Site Map ]
Version: 2024.04.18