affects OMERO.server 5 versions 5.6.0 and earlier
OMERO.server uses Hibernate Filters to protect sensitive data but it is possible to craft a query that can access some data indirectly.
Some objects are hidden from normal users for security reasons. The OMERO.blitz API allows users to query the server for data. One may bypass the security filters by making those queries in an obscure manner.
OMERO 5.6.1 uses custom types to effect the hiding of sensitive fields. These take effect regardless of how the field was queried.
This vulnerability is identified as CVE-2019-16244.
OMERO.server before 5.6.1.
Critical severity.
CVSS score 9.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
All OMERO.servers should be upgraded to at least 5.6.1.
© 2005-2024 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 4.0 International License
OME source code is available under the GNU General public license or more permissive open source licenses, or through commercial license from Glencoe Software Inc.
OME, Bio-Formats, OMERO, IDR and their associated logos are trademarks of Glencoe Software Inc., which holds these marks to protect them on behalf of the OME community.
[ Site Map ]
Version: 2024.04.18