You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "angela (JIRA)" <ji...@apache.org> on 2016/05/24 09:58:12 UTC

[jira] [Updated] (OAK-4301) Missing protection for system-maintained rep:externalId

     [ https://issues.apache.org/jira/browse/OAK-4301?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

angela updated OAK-4301:
------------------------
    Component/s:     (was: security)

> Missing protection for system-maintained rep:externalId 
> --------------------------------------------------------
>
>                 Key: OAK-4301
>                 URL: https://issues.apache.org/jira/browse/OAK-4301
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: auth-external
>            Reporter: angela
>            Assignee: angela
>            Priority: Critical
>              Labels: security
>
> while working on OAK-4101 i noticed that the current implementation doesn't provide any protection for the system maintained property {{rep:externalId}}, which is intended to be an identifier for a given synchronized user/group within an external IDP.
> in other words:
> - the system doesn't assert the uniqueness of a given external-id
> - the external-id properties can be changed using regular JCR API 
> up to now i didn't manage to exploit the missing protection with the current default implementation but i found that minor (legitimate) changes have the potential to turn this into a critical vulnerability.
> therefore I would strongly recommend to change the default implementation such that the rep:externalId really becomes system-maintained and prevent any unintentional or malicious modification outside of the scope of the sync-operations. furthermore uniqueness of this property should be asserted.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)