CVE-2021-21377

Sažetak

OMERO.web is open source Django-based software for managing microscopy imaging. OMERO.web before version 5.9.0 supports redirection to a given URL after performing login or switching the group context. These URLs are not validated, allowing redirection to untrusted sites. OMERO.web 5.9.0 adds URL validation before redirecting. External URLs are not considered valid, unless specified in the omero.web.redirect_allowed_hosts setting.

Reference

https://github.com/ome/omero-web/blob/master/CHANGELOG.md#590-march-2021
https://github.com/ome/omero-web/commit/952f8e5d28532fbb14fb665982211329d137908c
https://github.com/ome/omero-web/security/advisories/GHSA-g4rf-pc26-6hmr
https://pypi.org/project/omero-web/
https://www.openmicroscopy.org/security/advisories/2021-SV2/

CVSS

Base:	4.9
Impact:	4.9
Exploitability:	6.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	NONE

CVSS vektor

AV:N/AC:M/Au:S/C:P/I:P/A:N

Zadnje važnije ažuriranje

27-03-2021 - 02:20

Objavljeno

23-03-2021 - 16:15