Project

General

Profile

Actions

Task #2958

open

Confidential attributes of an user account can be displayed through accounts agenda

Added by Petr Fišer over 2 years ago. Updated about 1 year ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
09/20/2021
Due date:
% Done:

0%

Estimated time:
Owner:

Description

When I display the account on a system agenda, e.g. https://172.31.255.123/idm/#/system/f007c3d4-5e50-49ce-8fd2-09564b7afcb3/accounts and I click a user, I can get to the value of userPassword attribute:

userPassword  e1NIQX0wRFBpS3VOSXJyVm1EOElVQ3V3MWhReE5xWmM9

Fortunately, it is a hash, but (as you can see here) it is only SHA so not really a strong one. The target system is some OpenLDAP connected with LDAP connector. Given some more funky target system (as some custom-tailored / archaic systems tend to be) there is a risk that IdM would be able to display user passwords through the account agenda.

Problem is that although connector does not return confidential attribute __PASSWORD__ (which comes from mapping), it still returns userPassword (which comes from schema). IdM loads accounts from target system using system schema.
In the above example, the userPassword attribute has those two settings enabled: "returned by default", "can be read". Changing their setting does not affect reported behavior in any way.

As per our discussion with @svandav , please make it so:
  • When reading data from connector into IdM, filter out schema attribute values when they are not "returned by default" so they do not propagate further.
  • Alternatively, filter them in such a way that they at least do not propagate to FE.

There was a brief discussion on slack regarding this (link below).


Related issues

Related to IdStory Identity Manager - Feature #3164: New account detailClosedRoman Kučera06/27/2022

Actions
Actions #2

Updated by Petr Fišer about 2 years ago

  • Assignee deleted (Vít Švanda)
  • Target version set to 12.2.0
Actions #4

Updated by Roman Kučera almost 2 years ago

  • Target version changed from 12.2.0 to 13.0.0
Actions #5

Updated by Tomáš Doischer over 1 year ago

Actions #6

Updated by Tomáš Doischer over 1 year ago

  • Target version changed from 13.0.0 to 12.4.0
Actions #7

Updated by Tomáš Doischer about 1 year ago

  • Target version changed from 12.4.0 to 13.1.0
Actions

Also available in: Atom PDF