angela created OAK-4301:
---------------------------
Summary: Missing protection for system-maintained rep:externalId
Key: OAK-4301
URL: https://issues.apache.org/jira/browse/OAK-4301
Project: Jackrabbit Oak
Issue Type: Bug
Components: auth-external, security
Reporter: angela
Priority: Critical
while working on OAK-4101 i noticed that the current implementation doesn't
provide any protection for the system maintained property {{rep:externalId}},
which is intended to be an identifier for a given synchronized user/group
within an external IDP.
in other words:
- the system doesn't assert the uniqueness of a given external-id
- the external-id properties can be changed using regular JCR API
up to now i didn't manage to exploit the missing protection with the current
default implementation but i found that minor (legitimate) changes have the
potential to turn this into a critical vulnerability.
therefore I would strongly recommend to change the default implementation such
that the rep:externalId really becomes system-maintained and prevent any
unintentional or malicious modification outside of the scope of the
sync-operations. furthermore uniqueness of this property should be asserted.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
