[RTFACT-17659] User added manually to an external (LDAP) group will be given permissions assigned to that group even if not a member Created: 17/Oct/18 Updated: 17/Oct/18
|Project:||Artifactory Binary Repository|
|Component/s:||LDAP, permissions, Security|
|Labels:||artifactory, ldap, security|
Artifactory 6.4.0 (dockerized)
I just started to import LDAP groups into Artifactory and I noticed something that could be a security issue.
To me it seems that Artifactory doesn't check membership status of external groups before applying the permission the user should have and therefore might get permissions it shouldn't have.
Update: I tested to see if a manually added user got "manage" rights to a permission item but those permissions seems to be applied correctly on login. However, if an external group is marked as "admin" any manually added LDAP users will get admin rights on first login according to the description above.
I can't seem to recreate it with a local user.