Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-13875

Clarify in security guide that only models from trusted sources/users should be deployed

XMLWordPrintable

      Acceptance Criteria (Required on creation):

      • We often get security reports (e.g. SEC-22, SEC-24) that are only vulnerabilities in Camunda if an attacker can control the BPMN deployments. Since Camunda does not provide a proper sandbox for BPMN execution (scripts, expressions, BPMN control flow allow various attacks such as DoS or remote code execution if under the control of an attacker), it is a key aspect that only trusted users/systems get access to deployment APIs.
      • The security instructions do not state that clearly enough, e.g.:
      • As a result of this ticket, we have a section explaining this clearly and that we can reference to in the future

      Hints (Optional):

        This is the controller panel for Smart Panels app

            [CAM-13875] Clarify in security guide that only models from trusted sources/users should be deployed

            Thorben Lindhauer added a comment -

            I will do the backport after the merge to master, so that I don't have to apply review hints multiple times.

            Thorben Lindhauer added a comment - I will do the backport after the merge to master, so that I don't have to apply review hints multiple times.

              Unassigned Unassigned
              thorben.lindhauer Thorben Lindhauer
              Thorben Lindhauer Thorben Lindhauer
              Tassilo Weidner Tassilo Weidner
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: