CVE-2021-21376

MEDIUM

OMERO.web < 5.9.0 - Exposure of Sensitive User Information

Title source: llm

Description

OMERO.web is open source Django-based software for managing microscopy imaging. OMERO.web before version 5.9.0 loads various information about the current user such as their id, name and the groups they are in, and these are available on the main webclient pages. This represents an information exposure vulnerability. Some additional information being loaded is not used by the webclient and is being removed in this release. This is fixed in version 5.9.0.

References (5)

Core 5

Core References

Third Party Advisory x_refsource_confirm

https://github.com/ome/omero-web/security/advisories/GHSA-gfp2-w5jm-955q

Release Notes, Third Party Advisory x_refsource_misc

https://pypi.org/project/omero-web/

Release Notes, Third Party Advisory x_refsource_misc

https://github.com/ome/omero-web/blob/master/CHANGELOG.md#590-march-2021

Vendor Advisory x_refsource_misc

https://www.openmicroscopy.org/security/advisories/2021-SV1/

Patch, Third Party Advisory x_refsource_misc

https://github.com/ome/omero-web/commit/952f8e5d28532fbb14fb665982211329d137908c

View Patch ZIP pw:eip

Scores

CVSS v3 6.4

EPSS 0.0146

EPSS Percentile 70.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

Details

CWE

CWE-200

Status published

Products (2)

openmicroscopy/omero.web < 5.9.0

pypi/omero-web 0 - 5.9.0PyPI

Published Mar 23, 2021

Tracked Since Feb 18, 2026