jackrabbit-oak-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "angela (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (OAK-4301) Missing protection for system-maintained rep:externalId
Date Wed, 03 Aug 2016 16:11:20 GMT

     [ https://issues.apache.org/jira/browse/OAK-4301?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

angela updated OAK-4301:
    Fix Version/s: 1.5.8

> Missing protection for system-maintained rep:externalId 
> --------------------------------------------------------
>                 Key: OAK-4301
>                 URL: https://issues.apache.org/jira/browse/OAK-4301
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: auth-external
>            Reporter: angela
>            Assignee: angela
>            Priority: Critical
>              Labels: security
>             Fix For: 1.5.8
>         Attachments: OAK-4301.patch
> while working on OAK-4101 i noticed that the current implementation doesn't provide any
protection for the system maintained property {{rep:externalId}}, which is intended to be
an identifier for a given synchronized user/group within an external IDP.
> in other words:
> - the system doesn't assert the uniqueness of a given external-id
> - the external-id properties can be changed using regular JCR API 
> up to now i didn't manage to exploit the missing protection with the current default
implementation but i found that minor (legitimate) changes have the potential to turn this
into a critical vulnerability.
> therefore I would strongly recommend to change the default implementation such that the
rep:externalId really becomes system-maintained and prevent any unintentional or malicious
modification outside of the scope of the sync-operations. furthermore uniqueness of this property
should be asserted.

This message was sent by Atlassian JIRA

View raw message