2019-SV3 User Privacy

affects OMERO.server 5 versions 5.6.0 and earlier

back to Advisories

Synopsis

OMERO makes the details of each user available to all users.

Background

An OMERO Experimenter instance exists for every OMERO user and its fields are readable by other users. This is inconsistent with the principles of good data privacy.

OMERO 5.6.1 obscures users' details from other normal users, unless they are colleagues in a non-private group.

This vulnerability is identified as CVE-2019-16245.

Affected Packages

OMERO.server before 5.6.1.

Impact

Medium severity.

CVSS score 5.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C

Resolution

All OMERO.servers should be upgraded to at least 5.6.1.


back to top