GHSA-VR85-5PWX-C6GQ

Vulnerability from github – Published: 2024-05-21 14:33 – Updated: 2024-05-21 15:39
VLAI?
Summary
OMERO.web must check that the JSONP callback is a valid function
Details

Background

There is currently no escaping or validation of the callback parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. One such endpoint is /webclient/imgData/.... As we only really use these endpoints with jQuery's own callback name generation ^1 it is quite difficult or even impossible to exploit this in vanilla OMERO.web. However, these metadata endpoints are likely to be used by many plugins.

Impact

OMERO.web before 5.25.0

Patches

Users should upgrade to 5.26.0 or higher

Workarounds

None

References

  • https://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call
  • https://stackoverflow.com/questions/1661197/what-characters-are-valid-for-javascript-variable-names

For more information If you have any questions or comments about this advisory:

Open an issue in omero-web Email us at security@openmicroscopy.org

Severity ?
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "omero-web"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-35180"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-830"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-21T14:33:23Z",
    "nvd_published_at": "2024-05-21T13:15:08Z",
    "severity": "MODERATE"
  },
  "details": "### Background\n\nThere is currently no escaping or validation of the `callback` parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. One such endpoint is `/webclient/imgData/...`. As we only really use these endpoints with jQuery\u0027s own callback name generation [^1] it is quite difficult or even impossible to exploit this in vanilla OMERO.web. However, these metadata endpoints are likely to be used by many plugins.\n\n[^1]: https://learn.jquery.com/ajax/working-with-jsonp/\n\n### Impact\nOMERO.web before 5.25.0\n\n### Patches\nUsers should upgrade to 5.26.0 or higher\n### Workarounds\n\nNone\n\n### References\n* https://stackoverflow.com/questions/2777021/do-i-need-to-sanitize-the-callback-parameter-from-a-jsonp-call\n* https://stackoverflow.com/questions/1661197/what-characters-are-valid-for-javascript-variable-names\n\nFor more information\nIf you have any questions or comments about this advisory:\n\nOpen an issue in [omero-web](https://github.com/ome/omero-web)\nEmail us at [security@openmicroscopy.org](mailto:security@openmicroscopy.org)\n",
  "id": "GHSA-vr85-5pwx-c6gq",
  "modified": "2024-05-21T15:39:43Z",
  "published": "2024-05-21T14:33:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ome/omero-web/security/advisories/GHSA-vr85-5pwx-c6gq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35180"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ome/omero-web/commit/d41207cbb82afc56ea79e84db532608aa24ab4aa"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ome/omero-web"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OMERO.web must check that the JSONP callback is a valid function"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.