Details
-
Suggestion
-
Resolution: Fixed
Description
Problem Statement:
We need to be able to turn off the X-Seraph-LoginReason response header in Bamboo or align the values it provides when a user is present/not present due to security concerns around user enumeration.
While using Bamboo's internal authentication methods, and trying to login, a response header contains the result of the login-attempt:
- AUTHENTICATION_DENIED
- AUTHENTICATED_FAILED
- OK
This allows an attacker to adjust their methods to account for the result in an effort to access Bamboo
There could be an option, toggle, or switch, to disable the X-Seraph-LoginReason header to prevent this value from being returned or the response values could align in a way that does not differentiate if a user exists.
Workaround
No work around is currently available at this time.
Attachments
Issue Links
- relates to
-
SER-227 Allow X-seraph-loginreason to be Toggled On/Off in Jira and Bamboo
- Open