Information Exposure in OMERO.web
CVE-2021-21376

6.4MEDIUM

Key Information:

Vendor: Ome
Status: Omero-web
Vendor: CVE Published:; 23 March 2021

What is CVE-2021-21376?

OMERO.web is open source Django-based software for managing microscopy imaging. OMERO.web before version 5.9.0 loads various information about the current user such as their id, name and the groups they are in, and these are available on the main webclient pages. This represents an information exposure vulnerability. Some additional information being loaded is not used by the webclient and is being removed in this release. This is fixed in version 5.9.0.

Affected Version(s)

omero-web < 5.9.0

References

https://github.com/ome/omero-web/security/advisories/GHSA...

x_refsource_CONFIRM

https://pypi.org/project/omero-web/

x_refsource_MISC

https://github.com/ome/omero-web/blob/master/CHANGELOG.md...

x_refsource_MISC

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 23, 2021
Vulnerability Reserved
Dec 22, 2020

Ome

What is CVE-2021-21376?

Affected Version(s)

References

CVSS V3.1

Timeline