-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
7.0.0
-
7
-
24
-
Severity 3 - Minor
-
2
-
Summary
If JIRA is configured to synch with a LDAP engine that does not have a unique ID attribute, upon synchronisation it will clobber users, causing session hijacking.
Steps to Reproduce
- Connect JIRA to an LDAP engine.
- Ensure there are multiple users in the LDAP that have the same User Unique ID Attribute.
- Synchronise the user directories.
- Login as one user.
Expected Results
The synchronisation does not pass successfully and the admin is notified that there is a problem with the external user directory.
Actual Results
Users can become 'hijacked', as the app_user.user_key will change unexpectedly and different users will become other users that share the same unique ID. This can also cause some users to be orphaned and some sessions to log out.
Workaround
The LDAP engine should not be configured to have a 'user unique ID attribute' that is not unique. This is documented in RFC 2307.
Notes
This was reproduced with a Jumpcloud LDAP integration.