2018-SV1 POST password

affects OMERO.web versions 5.4.6 and earlier

back to Advisories

Synopsis

If an error occurs during login to OMERO.web, the HTTP response returned to the user contains the user's password. This is included in automated e-mails to OMERO web admins and within the feedback sent to the OME QA system if the user chooses to submit the error. Each issue submitted to the OME QA system is accessible only to the OMERO team and the user who submitted it.

Background

Django generates an error response if an unexpected error occurs. This includes data in the HTTP POST dictionary. The OMERO.web feedback tool allows users to submit any errors to the OME team's QA database. This may include the user's password. This behavior has existed in all versions of OMERO.web but errors within the login process were rarely seen until recent changes in OMERO 5.4.6 which causes an error if the OMERO.server is not running or is not compatible with the version of OMERO.web. This issue has been fixed for OMERO 5.4.7 in OMERO PR #5769. Furthermore, passwords are now removed from any errors generated by Django during login.

This vulnerability is identified as CVE-2018-1000633.

Affected Packages

OMERO.web before 5.4.7.

Impact

Medium severity.

CVSS score 5.9 vector AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

Workaround

Do not submit login errors to the OME team.

Resolution

All OMERO.servers should be upgraded to at least 5.4.7.


back to top