A medium severity security vulnerability in Galaxy data libraries has been discovered. This vulnerability allows anyone able to access Galaxy's API to add to their history any data library dataset that they know an id of.
This vulnerability has been assigned the disclosure ID GX-2017-0005.
This vulnerability affects all versions of Galaxy released since at least 2011.
Given the ids of library datasets are presented encoded it is not easy to exploit this vulnerability in a targeted manner. However all Galaxy objects are enumerated incrementally so there are means to generate and/or guess valid ids of existing library datasets and read them.
Per our security policies, we have created fixes for versions of Galaxy starting with 16.07. These have been committed to the corresponding `release_YY.MM` (and `dev`) branches in the Galaxy GitHub repository.
Releases prior to 16.07 will remain vulnerable and should be updated to a supported release as soon as possible.
The fixes are available on the `release_16.07` through `release_17.09` and `dev` branches in the Galaxy GitHub repository. You can simply `git pull` or use your normal update procedure to get the changes.
For the changes to take effect, *YOU MUST RESTART ALL GALAXY SERVER PROCESSES*.
Martin (on behalf of the Galaxy Committers)