CVE-2021-21376

EUVD-2021-0157

23.03.2021, 16:15

OMERO.web is open source Django-based software for managing microscopy imaging. OMERO.web before version 5.9.0 loads various information about the current user such as their id, name and the groups they are in, and these are available on the main webclient pages. This represents an information exposure vulnerability. Some additional information being loaded is not used by the webclient and is being removed in this release. This is fixed in version 5.9.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.4 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
GitHub_M	CNA	6.4 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 61%

Affected Products (NVD)

Vendor	Product	Version
openmicroscopy	omero.web	𝑥 < 5.9.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

https://github.com/ome/omero-web/blob/master/CHANGELOG.md#590-march-2021

https://github.com/ome/omero-web/commit/952f8e5d28532fbb14fb665982211329d137908c

https://github.com/ome/omero-web/security/advisories/GHSA-gfp2-w5jm-955q

https://pypi.org/project/omero-web/

https://www.openmicroscopy.org/security/advisories/2021-SV1/

https://github.com/ome/omero-web/blob/master/CHANGELOG.md#590-march-2021

https://github.com/ome/omero-web/commit/952f8e5d28532fbb14fb665982211329d137908c

https://github.com/ome/omero-web/security/advisories/GHSA-gfp2-w5jm-955q

https://pypi.org/project/omero-web/

https://www.openmicroscopy.org/security/advisories/2021-SV1/