Vulnerability Details : CVE-2021-21377
OMERO.web is open source Django-based software for managing microscopy imaging. OMERO.web before version 5.9.0 supports redirection to a given URL after performing login or switching the group context. These URLs are not validated, allowing redirection to untrusted sites. OMERO.web 5.9.0 adds URL validation before redirecting. External URLs are not considered valid, unless specified in the omero.web.redirect_allowed_hosts setting.
Vulnerability category: Open redirect
Products affected by CVE-2021-21377
- cpe:2.3:a:openmicroscopy:omero.web:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-21377
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 32 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-21377
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.9
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:N |
6.8
|
4.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST | |
4.8
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N |
1.2
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2021-21377
-
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.Assigned by: security-advisories@github.com (Primary)
References for CVE-2021-21377
-
https://github.com/ome/omero-web/blob/master/CHANGELOG.md#590-march-2021
omero-web/CHANGELOG.md at master · ome/omero-web · GitHubRelease Notes;Third Party Advisory
-
https://pypi.org/project/omero-web/
omero-web · PyPIThird Party Advisory
-
https://www.openmicroscopy.org/security/advisories/2021-SV2/
2021-SV2 URL validation on login | Open Microscopy Environment (OME)Vendor Advisory
-
https://github.com/ome/omero-web/commit/952f8e5d28532fbb14fb665982211329d137908c
SV commits · ome/omero-web@952f8e5 · GitHubPatch;Third Party Advisory
-
https://github.com/ome/omero-web/security/advisories/GHSA-g4rf-pc26-6hmr
OMERO webclient does not validate URL redirects on login or switching group. · Advisory · ome/omero-web · GitHubThird Party Advisory
Jump to