affects OMERO.server versions 5.0.0 to 5.6.0
The reading of files from imported image filesets may circumvent OMERO permissions restrictions.
OMERO uses Bio-Formats to read image data from the files that were uploaded at import time. There is the possibility of crafting an image import that causes Bio-Formats to read a file from the OMERO server to which the user does not have read access.
For various codepaths through the server, OMERO 5.6.1 introduces checks that the files regarded by Bio-Formats as being used by the image are judged by OMERO's permissions system to be readable by the user.
This vulnerability is identified as CVE-2019-9944.
OMERO.server from 5.0.0 to 5.6.0 inclusive.
All OMERO.servers should be upgraded to at least 5.6.1.
© 2005-2024 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 4.0 International License
OME source code is available under the GNU General public license or more permissive open source licenses, or through commercial license from Glencoe Software Inc.
OME, Bio-Formats, OMERO, IDR and their associated logos are trademarks of Glencoe Software Inc., which holds these marks to protect them on behalf of the OME community.
[ Site Map ]
Version: 2024.04.18