What is CVE-2023-27578?

CVE-2023-27578 is a vulnerability in the Galaxy platform for data analysis that allows for an insufficient permission check.

Which versions of Galaxy are affected?

All supported versions of Galaxy prior to 22.01, 22.05, and 23.0 are affected.

What is the severity of CVE-2023-27578?

The severity of CVE-2023-27578 is critical with a CVSS score of 7.5.

How can I fix CVE-2023-27578?

To fix CVE-2023-27578, update your Galaxy installation to version 22.01, 22.05, or 23.0, or apply the provided patches.

What are the references for CVE-2023-27578?

The references for CVE-2023-27578 are: [Patch for release 22.01](https://depot.galaxyproject.org/patch/GX-2022-0002/modify_pages_viz-release_22.01.patch), [Patch for release 22.05](https://depot.galaxyproject.org/patch/GX-2022-0002/modify_pages_viz-release_22.05.patch), [Patch for release 23.0](https://depot.galaxyproject.org/patch/GX-2022-0002/modify_pages_viz-release_23.0.patch).

Vulnerability/
CVE-2023-27578

critical

9.1

CWE

863 284

20/3/2023

25/2/2025

CVE-2023-27578: Galaxy vulnerable to unauthorized modification of pages/visualizations due to insufficient permission check

First published: Mon Mar 20 2023(Updated: )

Galaxy is an open-source platform for data analysis. All supported versions of Galaxy are affected prior to 22.01, 22.05, and 23.0 are affected by an insufficient permission check. Unsupported versions are likely affected as far back as the functionality of Visualizations/Pages exists. Due to this issue, an attacker can modify or delete any Galaxy Visualization or Galaxy Page given they know the encoded ID of it. Additionally, they can copy or import any Galaxy Visualization given they know the encoded ID of it. Patches are available for versions 22.01, 22.05, and 23.0. For the changes to take effect, you must restart all Galaxy server processes. There are no supported workarounds.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Galaxyproject Galaxy	<22.01

Remedy

https://github.com/galaxyproject/galaxy/security/advisories/GHSA-j8q2-r4g5-f22j

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-27578?
CVE-2023-27578 is a vulnerability in the Galaxy platform for data analysis that allows for an insufficient permission check.
Which versions of Galaxy are affected?
All supported versions of Galaxy prior to 22.01, 22.05, and 23.0 are affected.
What is the severity of CVE-2023-27578?
The severity of CVE-2023-27578 is critical with a CVSS score of 7.5.
How can I fix CVE-2023-27578?
To fix CVE-2023-27578, update your Galaxy installation to version 22.01, 22.05, or 23.0, or apply the provided patches.
What are the references for CVE-2023-27578?
The references for CVE-2023-27578 are: [Patch for release 22.01](https://depot.galaxyproject.org/patch/GX-2022-0002/modify_pages_viz-release_22.01.patch), [Patch for release 22.05](https://depot.galaxyproject.org/patch/GX-2022-0002/modify_pages_viz-release_22.05.patch), [Patch for release 23.0](https://depot.galaxyproject.org/patch/GX-2022-0002/modify_pages_viz-release_23.0.patch).

collector/nvd-index
agent/type
agent/weakness
agent/references
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/severity
agent/remedy
agent/title
agent/last-modified-date
agent/author
agent/description
agent/event
agent/first-publish-date
agent/tags
agent/source
vendor/galaxyproject
canonical/galaxyproject galaxy

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.