Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-13875

Clarify in security guide that only models from trusted sources/users should be deployed

    XMLWordPrintable

Details

    Description

      Acceptance Criteria (Required on creation):

      • We often get security reports (e.g. SEC-22, SEC-24) that are only vulnerabilities in Camunda if an attacker can control the BPMN deployments. Since Camunda does not provide a proper sandbox for BPMN execution (scripts, expressions, BPMN control flow allow various attacks such as DoS or remote code execution if under the control of an attacker), it is a key aspect that only trusted users/systems get access to deployment APIs.
      • The security instructions do not state that clearly enough, e.g.:
      • As a result of this ticket, we have a section explaining this clearly and that we can reference to in the future

      Hints (Optional):

      mgm-controller-panel

        This is the controller panel for Smart Panels app

        Attachments

          Activity

            People

              Unassigned Unassigned
              thorben.lindhauer Thorben Lindhauer
              Thorben Lindhauer Thorben Lindhauer
              Tassilo Weidner Tassilo Weidner
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Salesforce