4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21377

GHSA ID

GHSA-g4rf-pc26-6hmr

EPSS Score

0.53982%

CWE

CWE-601

Published

3/23/2021

Updated

10/8/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-21377

CVE-2021-21377: OMERO webclient does not validate URL redirects on login or switching group.

Background

OMERO.web supports redirection to a given URL after performing login or switching the group context. These URLs are not validated, allowing redirection to untrusted sites. OMERO.web 5.9.0 adds URL validation before redirecting. External URLs are not considered valid, unless specified in the omero.web.redirect_allowed_hosts setting.

Impact

OMERO.web before 5.9.0

Patches

5.9.0

Workarounds

No workaround

References

For more information

If you have any questions or comments about this advisory:

Open an issue in omero-web
Email us at security

(GitHub Advisory)

4.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-21377

GHSA ID

GHSA-g4rf-pc26-6hmr

EPSS Score

0.53982%

CWE

CWE-601

Published

3/23/2021

Updated

10/8/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
omero-web	pip	< 5.9.0	5.9.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from missing URL validation in redirect handling. The commit added validate_redirect_url() checks in both handle_logged_in (login flow) and change_active_group (group switching). These functions previously passed through user-controlled URLs without validation. The patch explicitly modifies these entry points to add security checks using Django's is_safe_url, confirming they were the vulnerable locations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### ***k*roun* OM*RO.w** supports r**ir**tion to * *iv*n URL **t*r p*r*ormin* lo*in or swit**in* t** *roup *ont*xt. T**s* URLs *r* not v*li**t**, *llowin* r**ir**tion to untrust** sit*s. OM*RO.w** *.*.* ***s URL v*li**tion ***or* r**ir**tin*. *xt*rn*

Reasoning

T** vuln*r**ility st*mm** *rom missin* URL v*li**tion in r**ir**t **n*lin*. T** *ommit ***** v*li**t*_r**ir**t_url() ****ks in *ot* **n*l*_lo****_in (lo*in *low) *n* ***n**_**tiv*_*roup (*roup swit**in*). T**s* *un*tions pr*viously p*ss** t*rou** us*

4.8

Basic Information

Concerned about an active attack path?

CVE-2021-21377: OMERO webclient does not validate URL redirects on login or switching group.

Background

Impact

Patches

Workarounds

References

For more information

4.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI