CVE-2021-21377

low-risk
Published 2021-03-23

OMERO.web is open source Django-based software for managing microscopy imaging. OMERO.web before version 5.9.0 supports redirection to a given URL after performing login or switching the group context. These URLs are not validated, allowing redirection to untrusted sites. OMERO.web 5.9.0 adds URL validation before redirecting. External URLs are not considered valid, unless specified in the omero.web.redirect_allowed_hosts setting.

Do I need to act?

-
0.31% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.8/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Omero.Web

Affected Vendors

Openmicroscopy

References (10)

Release Notes https://github.com/ome/omero-web/blob/master/CHANGELOG.md#590-march-2021
Patch https://github.com/ome/omero-web/commit/952f8e5d28532fbb14fb665982211329d137908c
Third Party Advisory https://github.com/ome/omero-web/security/advisories/GHSA-g4rf-pc26-6hmr
Third Party Advisory https://pypi.org/project/omero-web/
Vendor Advisory https://www.openmicroscopy.org/security/advisories/2021-SV2/
Release Notes https://github.com/ome/omero-web/blob/master/CHANGELOG.md#590-march-2021
Patch https://github.com/ome/omero-web/commit/952f8e5d28532fbb14fb665982211329d137908c
Third Party Advisory https://github.com/ome/omero-web/security/advisories/GHSA-g4rf-pc26-6hmr
Third Party Advisory https://pypi.org/project/omero-web/
Vendor Advisory https://www.openmicroscopy.org/security/advisories/2021-SV2/
21
/ 100
low-risk
Severity 15/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal