Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc0cmYtcGMyNi02aG1y
OMERO webclient does not validate URL redirects on login or switching group.
Background
OMERO.web supports redirection to a given URL after performing login or switching the group context. These URLs are not validated, allowing redirection to untrusted sites. OMERO.web 5.9.0 adds URL validation before redirecting. External URLs are not considered valid, unless specified in the omero.web.redirect_allowed_hosts setting.
Impact
OMERO.web before 5.9.0
Patches
5.9.0
Workarounds
No workaround
References
For more information
If you have any questions or comments about this advisory:
Permalink: https://github.com/advisories/GHSA-g4rf-pc26-6hmrJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWc0cmYtcGMyNi02aG1y
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 8 months ago
Identifiers: GHSA-g4rf-pc26-6hmr, CVE-2021-21377
References:
- https://github.com/ome/omero-web/security/advisories/GHSA-g4rf-pc26-6hmr
- https://github.com/ome/omero-web/commit/952f8e5d28532fbb14fb665982211329d137908c
- https://github.com/ome/omero-web/blob/master/CHANGELOG.md#590-march-2021
- https://pypi.org/project/omero-web/
- https://www.openmicroscopy.org/security/advisories/2021-SV2/
- https://nvd.nist.gov/vuln/detail/CVE-2021-21377
- https://github.com/advisories/GHSA-g4rf-pc26-6hmr
Affected Packages
pypi:omero-web
Versions: < 5.9.0Fixed in: 5.9.0