CVE-2021-21376
OMERO.web exposes some unnecessary session information in the page
6.4
MEDIUM
CVSS 3.1
EPSS 0.42%
Description
OMERO.web is open source Django-based software for managing microscopy imaging. OMERO.web before version 5.9.0 loads various information about the current user such as their id, name and the groups they are in, and these are available on the main webclient pages. This represents an information exposure vulnerability. Some additional information being loaded is not used by the webclient and is being removed in this release. This is fixed in version 5.9.0.
How to fix CVE-2021-21376
To remediate CVE-2021-21376, upgrade the affected package to a fixed version below.
- —upgrade to 5.9.0 or later
- —upgrade to 952f8e5d28532fbb14fb665982211329d137908c or later
Is CVE-2021-21376 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 5.9.0
- from 0, < 952f8e5d28532fbb14fb665982211329d137908c | from 0, < 5.9.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM6.4 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |