Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-17659

User added manually to an external (LDAP) group will be given permissions assigned to that group even if not a member

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: 6.4.0
    • Fix Version/s: None
    • Component/s: LDAP, permissions, Security
    • Environment:

      Artifactory 6.4.0 (dockerized)

      Description

      I just started to import LDAP groups into Artifactory and I noticed something that could be a security issue.

      1. Import a group from LDAP
      2. Assign admin rights to that group
      3. Add a non-admin LDAP user to the imported group (user should not be a member of the group in the AD)
      4. Login with the user and notice that the user have admin rights
      5. Check the group to verify that the user have been removed from the group
      6. Log out and then in again and notice that the user is not an admin

      To me it seems that Artifactory doesn't check membership status of external groups before applying the permission the user should have and therefore might get permissions it shouldn't have.

       

      Update: I tested to see if a manually added user got "manage" rights to a permission item but those permissions seems to be applied correctly on login. However, if an external group is marked as "admin" any manually added LDAP users will get admin rights on first login according to the description above.

      I can't seem to recreate it with a local user.

       

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            stefanga Stefan Gangefors
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: