affects OMERO.server versions 5.0.0 to 5.6.0
The reading of files from imported image filesets may circumvent OMERO permissions restrictions.
OMERO uses Bio-Formats to read image data from the files that were uploaded at import time. There is the possibility of crafting an image import that causes Bio-Formats to read a file from the OMERO server to which the user does not have read access.
For various codepaths through the server, OMERO 5.6.1 introduces checks that the files regarded by Bio-Formats as being used by the image are judged by OMERO's permissions system to be readable by the user.
This vulnerability is identified as CVE-2019-9944.
OMERO.server from 5.0.0 to 5.6.0 inclusive.
All OMERO.servers should be upgraded to at least 5.6.1.