2019-SV1 Reader Used Files

affects OMERO.server versions 5.0.0 to 5.6.0

back to Advisories


The reading of files from imported image filesets may circumvent OMERO permissions restrictions.


OMERO uses Bio-Formats to read image data from the files that were uploaded at import time. There is the possibility of crafting an image import that causes Bio-Formats to read a file from the OMERO server to which the user does not have read access.

For various codepaths through the server, OMERO 5.6.1 introduces checks that the files regarded by Bio-Formats as being used by the image are judged by OMERO's permissions system to be readable by the user.

This vulnerability is identified as CVE-2019-9944.

Affected Packages

OMERO.server from 5.0.0 to 5.6.0 inclusive.


Medium severity.

CVSS score 4.4 vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:R


All OMERO.servers should be upgraded to at least 5.6.1.

back to top