CVE-2021-21377
MEDIUM4.8EPSS 0.31%OMERO webclient does not validate URL redirects on login or switching group.
發布日:2021/3/23修改日:2026/3/13
描述
### Background OMERO.web supports redirection to a given URL after performing login or switching the group context. These URLs are not validated, allowing redirection to untrusted sites. OMERO.web 5.9.0 adds URL validation before redirecting. External URLs are not considered valid, unless specified in the ``omero.web.redirect_allowed_hosts`` setting. ### Impact OMERO.web before 5.9.0 ### Patches 5.9.0 ### Workarounds No workaround ### References ### For more information If you have any questions or comments about this advisory: * Open an issue in [omero-web](https://github.com/ome/omero-web) * Email us at [security](mailto:[email protected])
受影響套件(2)
- PyPI/omero-webfrom 0, < 5.9.0
- PyPI/omero-webfrom 0, < 952f8e5d28532fbb14fb665982211329d137908c | from 0, < 5.9.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM4.8 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N |
參考連結(10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-21377
- ADVISORYhttps://www.openmicroscopy.org/security/advisories/2021-SV2/
- PATCHhttps://github.com/ome/omero-web
- PATCHhttps://pypi.org/project/omero-web/
- WEBhttps://github.com/ome/omero-web/blob/master/CHANGELOG.md#590-march-2021
- WEBhttps://github.com/ome/omero-web/commit/952f8e5d28532fbb14fb665982211329d137908c
- WEBhttps://github.com/ome/omero-web/security/advisories/GHSA-g4rf-pc26-6hmr
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/omero-web/PYSEC-2021-32.yaml
- WEBhttps://pypi.org/project/omero-web
- WEBhttps://www.openmicroscopy.org/security/advisories/2021-SV2