2019-SV3 User Privacy

affects OMERO.server 5 versions 5.6.0 and earlier

back to Advisories


OMERO makes the details of each user available to all users.


An OMERO Experimenter instance exists for every OMERO user and its fields are readable by other users. This is inconsistent with the principles of good data privacy.

OMERO 5.6.1 obscures users' details from other normal users, unless they are colleagues in a non-private group.

This vulnerability is identified as CVE-2019-16245.

Affected Packages

OMERO.server before 5.6.1.


Medium severity.

CVSS score 5.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C


All OMERO.servers should be upgraded to at least 5.6.1.

back to top