Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Blocker
    • Resolution: Done
    • Affects Version/s: 3.4.0.Final, 3.5.0.Final, 3.6.0.Final, 3.6.1.Final, 3.7.0.Final, 3.7.1.Final, 3.7.2.Final, 4.0.0.Alpha2, 3.7.3.Final
    • Component/s: JCR
    • Labels:
      None

      Description

      The Session.getNodeByIdentifier(String) method and the deprecated Session.getNodeByUUID(String) method do not check ACLs. This is not a problem when a repository does not use ACLs, but when it does these methods provide a security hole.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  rhauch Randall Hauch
                  Reporter:
                  rhauch Randall Hauch
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: