CVE-2021-21377
MEDIUM4.8EPSS 0.31%OMERO webclient does not validate URL redirects on login or switching group.
Published: 3/23/2021Modified: 3/13/2026
Description
### Background OMERO.web supports redirection to a given URL after performing login or switching the group context. These URLs are not validated, allowing redirection to untrusted sites. OMERO.web 5.9.0 adds URL validation before redirecting. External URLs are not considered valid, unless specified in the ``omero.web.redirect_allowed_hosts`` setting. ### Impact OMERO.web before 5.9.0 ### Patches 5.9.0 ### Workarounds No workaround ### References ### For more information If you have any questions or comments about this advisory: * Open an issue in [omero-web](https://github.com/ome/omero-web) * Email us at [security](mailto:[email protected])
Affected packages (2)
- PyPI/omero-webfrom 0, < 5.9.0
- PyPI/omero-webfrom 0, < 952f8e5d28532fbb14fb665982211329d137908c | from 0, < 5.9.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM4.8 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N |
References (10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-21377
- ADVISORYhttps://www.openmicroscopy.org/security/advisories/2021-SV2/
- PATCHhttps://github.com/ome/omero-web
- PATCHhttps://pypi.org/project/omero-web/
- WEBhttps://github.com/ome/omero-web/blob/master/CHANGELOG.md#590-march-2021
- WEBhttps://github.com/ome/omero-web/commit/952f8e5d28532fbb14fb665982211329d137908c
- WEBhttps://github.com/ome/omero-web/security/advisories/GHSA-g4rf-pc26-6hmr
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/omero-web/PYSEC-2021-32.yaml
- WEBhttps://pypi.org/project/omero-web
- WEBhttps://www.openmicroscopy.org/security/advisories/2021-SV2