affects OMERO.server versions 5.1.0 to 5.6.0
Permissions on OMERO model objects may be circumvented during certain operations such as move and delete.
The OMERO Blitz API offers several graph operations
that modify user data. The code checks permissions manually as it operates.
OMERO 5.6.1 improves the permissions query to take account of a model object's group context and ensure that all graph operations comply with the user's permissions.
This vulnerability is identified as CVE-2019-9943.
OMERO.server from 5.1.0 to 5.6.0 inclusive.
All OMERO.servers should be upgraded to at least 5.6.1.
© 2005-2024 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 4.0 International License
OME source code is available under the GNU General public license or more permissive open source licenses, or through commercial license from Glencoe Software Inc.
OME, Bio-Formats, OMERO, IDR and their associated logos are trademarks of Glencoe Software Inc., which holds these marks to protect them on behalf of the OME community.
[ Site Map ]
Version: 2024.04.18