Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-22115

X-Seraph-LoginReason response header improvements

    XMLWordPrintable

Details

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

    Description

      Problem Statement:

      We need to be able to turn off the X-Seraph-LoginReason response header in Bamboo or align the values it provides when a user is present/not present due to security concerns around user enumeration.

      While using Bamboo's internal authentication methods, and trying to login, a response header contains the result of the login-attempt:

      • AUTHENTICATION_DENIED
      • AUTHENTICATED_FAILED
      • OK

      This allows an attacker to adjust their methods to account for the result in an effort to access Bamboo

      There could be an option, toggle, or switch, to disable the X-Seraph-LoginReason header to prevent this value from being returned or the response values could align in a way that does not differentiate if a user exists.

      Workaround

      No work around is currently available at this time.

      Attachments

        Issue Links

          relates to

          Improvement - An improvement or enhancement to an existing feature or task. SER-227 Allow X-seraph-loginreason to be Toggled On/Off in Jira and Bamboo

          • Medium - Medium priority issues
          • Open

          Activity

            People

              851f15845f55 Mateusz Szmal
              jowen@atlassian.com Jeremy Owen
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: