[ https://issues.apache.org/jira/browse/OAK-4301?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Davide Giannella closed OAK-4301. --------------------------------- Bulk close for 1.5.8 > Missing protection for system-maintained rep:externalId > -------------------------------------------------------- > > Key: OAK-4301 > URL: https://issues.apache.org/jira/browse/OAK-4301 > Project: Jackrabbit Oak > Issue Type: Bug > Components: auth-external > Reporter: angela > Assignee: angela > Priority: Critical > Labels: security > Fix For: 1.5.8 > > Attachments: OAK-4301.patch > > > while working on OAK-4101 i noticed that the current implementation doesn't > provide any protection for the system maintained property {{rep:externalId}}, > which is intended to be an identifier for a given synchronized user/group > within an external IDP. > in other words: > - the system doesn't assert the uniqueness of a given external-id > - the external-id properties can be changed using regular JCR API > up to now i didn't manage to exploit the missing protection with the current > default implementation but i found that minor (legitimate) changes have the > potential to turn this into a critical vulnerability. > therefore I would strongly recommend to change the default implementation > such that the rep:externalId really becomes system-maintained and prevent any > unintentional or malicious modification outside of the scope of the > sync-operations. furthermore uniqueness of this property should be asserted. -- This message was sent by Atlassian JIRA (v6.3.4#6332)