[OAK-4301] Missing protection for system-maintained rep:externalId - ASF JIRA

Agile Board

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.4.8, 1.5.8, 1.6.0
Component/s: auth-external
Labels:
- security

Description

while working on ~~OAK-4101~~ i noticed that the current implementation doesn't provide any protection for the system maintained property rep:externalId, which is intended to be an identifier for a given synchronized user/group within an external IDP.

in other words:

the system doesn't assert the uniqueness of a given external-id
the external-id properties can be changed using regular JCR API

up to now i didn't manage to exploit the missing protection with the current default implementation but i found that minor (legitimate) changes have the potential to turn this into a critical vulnerability.

therefore I would strongly recommend to change the default implementation such that the rep:externalId really becomes system-maintained and prevent any unintentional or malicious modification outside of the scope of the sync-operations. furthermore uniqueness of this property should be asserted.