Attacker can modify or delete any Galaxy Visualization or Galaxy Page given they know the encoded ID of it. Additionally they can copy or import any Galaxy Visualization given they know the encoded ID of it.
Impact
All supported versions of Galaxy are affected i.e. 22.01, 22.05, and 23.0. Unsupported versions are likely affected as far back as the functionality of Visualizations/Pages exists.
Patches
To apply the patch, navigate to the root of your Galaxy directory, then execute:
wget -O - "URL of the patch for your version from above" | patch -p1
or:
curl "URL of the patch for your version from above" | patch -p1
You can test application of the patch before applying it by adding the --dry-run flag to patch.
For the changes to take effect, you must restart all Galaxy server processes.
All supported branches of Galaxy (>= release_22.01) were amended with the supplied patches.
Workarounds
You must apply the supplied patch or update to the release_22.01 or newer. There are no supported workarounds.
References
This vulnerability has been discovered and responsibly disclosed by @familiardisaster using the huntr.dev platform. The Galaxy Project is grateful for the help.
familiardisaster Finder
Attacker can modify or delete any Galaxy Visualization or Galaxy Page given they know the encoded ID of it. Additionally they can copy or import any Galaxy Visualization given they know the encoded ID of it.
Impact
All supported versions of Galaxy are affected i.e. 22.01, 22.05, and 23.0. Unsupported versions are likely affected as far back as the functionality of Visualizations/Pages exists.
Patches
To apply the patch, navigate to the root of your Galaxy directory, then execute:
or:
You can test application of the patch before applying it by adding the --dry-run flag to patch.
For the changes to take effect, you must restart all Galaxy server processes.
All supported branches of Galaxy (>= release_22.01) were amended with the supplied patches.
Workarounds
You must apply the supplied patch or update to the release_22.01 or newer. There are no supported workarounds.
References
This vulnerability has been discovered and responsibly disclosed by @familiardisaster using the huntr.dev platform. The Galaxy Project is grateful for the help.