2019-SV2 Group Permissions

affects OMERO.server versions 5.1.0 to 5.6.0

back to Advisories


Permissions on OMERO model objects may be circumvented during certain operations such as move and delete.


The OMERO Blitz API offers several graph operations that modify user data. The code checks permissions manually as it operates.

OMERO 5.6.1 improves the permissions query to take account of a model object's group context and ensure that all graph operations comply with the user's permissions.

This vulnerability is identified as CVE-2019-9943.

Affected Packages

OMERO.server from 5.1.0 to 5.6.0 inclusive.


Medium severity.

CVSS score 5.3 vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N/E:P/RL:O/RC:C


All OMERO.servers should be upgraded to at least 5.6.1.

back to top