[OAK-4301] Missing protection for system-maintained rep:externalId - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.4.8, 1.5.8, 1.6.0
Component/s: auth-external
Labels:
- security

Description

while working on ~~OAK-4101~~ i noticed that the current implementation doesn't provide any protection for the system maintained property rep:externalId, which is intended to be an identifier for a given synchronized user/group within an external IDP.

in other words:

the system doesn't assert the uniqueness of a given external-id
the external-id properties can be changed using regular JCR API

up to now i didn't manage to exploit the missing protection with the current default implementation but i found that minor (legitimate) changes have the potential to turn this into a critical vulnerability.

therefore I would strongly recommend to change the default implementation such that the rep:externalId really becomes system-maintained and prevent any unintentional or malicious modification outside of the scope of the sync-operations. furthermore uniqueness of this property should be asserted.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

OAK-4301.patch
03/Aug/16 16:06
52 kB
Angela Schreiber

Issue Links

blocks

OAK-4860 Backport OAK-4301 and OAK-4825

Closed

is related to

OAK-4397 DefaultSyncContext.syncMembership may sync group of a foreign IDP

Closed

relates to

OAK-4101 Consider separate external (group) principal management

Closed

Activity

People

Assignee:: Angela Schreiber

Reporter:: Angela Schreiber

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 25/Apr/16 07:37

Updated:: 10/Nov/16 09:56

Resolved:: 04/Aug/16 14:03