Local user id corruption in OSS 3.61.0-02

delany · April 12, 2024, 6:56am

Hi. Somehow the id for all my local users ended up pointing to the same user, which happens to be the user that I selected for anonymous access.

The consequence of this bug/hack is that any roles/permissions I assign to any other local user get applied to the user I’m allowing anonymous access for! This raises serious concerns about the security of this software.

Currently I’m unable to modify roles/permissions for any LDAP user. What can I do to repair the issue?

github.com/sonatype/nexus-public

All user ids point to the same

opened 04:49AM - 11 Apr 24 UTC

delanym

question

I have local users and LDAP users configured. When I view the list of local use…rs I can see their "User ID" correctly displayed in the first column. When I open a user, no matter which one, the ID is listed as "proxies". If I add a role to any user, it gets added to the proxies user. I am unable to edit roles for any LDAP users. When I save, I get a notification "User not found: proxies" What is special about the proxies user? Well I deleted the anonymous user and set the proxies user as the anonymous user ![image](https://github.com/sonatype/nexus-public/assets/5310238/1cfd2d44-b197-4973-a0f9-0abd0d12f463) Nexus OSS 3.61.0-02 running on Windows The previous version was nexus-3.37.3-02 and I suspect that the issue did not exist at that time (I did the migration in November 2023)

delany · April 12, 2024, 7:32am

This is also deeply concerning LDAP Connections fail to Verify on 3.67.0-03 · Issue #372 · sonatype/nexus-public · GitHub