[RTFACT-17659] User added manually to an external (LDAP) group will be given permissions assigned to that group even if not a member Created: 17/Oct/18  Updated: 17/Oct/18

Status: Open
Project: Artifactory Binary Repository
Component/s: LDAP, permissions, Security
Affects Version/s: 6.4.0
Fix Version/s: None

Type: Bug Priority: Critical
Reporter: Stefan Gangefors Assignee: Unassigned
Resolution: Unresolved Votes: 1
Labels: artifactory, ldap, security
Environment:

Artifactory 6.4.0 (dockerized)



 Description   

I just started to import LDAP groups into Artifactory and I noticed something that could be a security issue.

  1. Import a group from LDAP
  2. Assign admin rights to that group
  3. Add a non-admin LDAP user to the imported group (user should not be a member of the group in the AD)
  4. Login with the user and notice that the user have admin rights
  5. Check the group to verify that the user have been removed from the group
  6. Log out and then in again and notice that the user is not an admin

To me it seems that Artifactory doesn't check membership status of external groups before applying the permission the user should have and therefore might get permissions it shouldn't have.

 

Update: I tested to see if a manually added user got "manage" rights to a permission item but those permissions seems to be applied correctly on login. However, if an external group is marked as "admin" any manually added LDAP users will get admin rights on first login according to the description above.

I can't seem to recreate it with a local user.

 


Generated at Sat Apr 04 12:27:52 UTC 2020 using JIRA 7.6.16#76018-sha1:9ed376192612a49536ac834c64177a0fed6290f5.