CVE-2023-31047 ("Django file upload validation") Assessment

Affects OMERO.web 5.17.0 - 5.19.0

back to Advisories

Synopsis

Django security release 3.2.19 is incompatible with OMERO.web 5.17.0 - 5.19.0

Background

Django has just issued a series of security releases and encouraged their users to upgrade as soon as possible. Unfortunately, the security fix includes some backwards incompatible changes which make OMERO.web versions 5.17.0 to the current 5.19.0 unable to start with Django 3.2.19.

The OME team in Dundee as well as Glencoe Software have evaluated the impact of the security issue. We can say with confidence that OMERO.web is not vulnerable as it does not include custom validation that would be bypassed in Django 3.2.18 and earlier.

At the time of writing of this message, there is no security concern associated with running OMERO.web with Django 3.2.18. We are actively working on an imminent release of OMERO.web which will restore compatibility with the Django 3.2 LTS line and allow consumers to upgrade to Django 3.2.19.

For these reasons, we recommend OMERO users do not yet upgrade to the recommended Django releases. We will announce our plans for an updated release of OMERO.web in the near future.

Affected Packages

OMERO.web 5.17.0 - 5.19.0

Impact

Low severity.

Workaround

All users should continue to use Django 3.2.18.

Resolution

A compatible version of OMERO.web (5.20.0) has been released.


back to top