2019-SV6 Group Owner Context

affects OMERO.server versions 5.1.0 to 5.6.0

back to Advisories

Synopsis

OMERO does not fully restrict the actions of group owners to within their group.

Background

OMERO allows group owners to perform various actions as another member of their group. In some cases, these actions are not restricted to the group they own.

OMERO 5.6.1 adds a server-side check that the session context for a group owner is limited to their groups.

This vulnerability is identified as CVE-2020-6752.

Affected Packages

OMERO.server before 5.6.1.

Impact

Low severity.

CVSS score 3.6 vector AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C

Resolution

All OMERO.servers should be upgraded to at least 5.6.1.


back to top