Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-22115

X-Seraph-LoginReason response header improvements

XMLWordPrintable

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Problem Statement:

      We need to be able to turn off the X-Seraph-LoginReason response header in Bamboo or align the values it provides when a user is present/not present due to security concerns around user enumeration.

      While using Bamboo's internal authentication methods, and trying to login, a response header contains the result of the login-attempt:

      • AUTHENTICATION_DENIED
      • AUTHENTICATED_FAILED
      • OK

      This allows an attacker to adjust their methods to account for the result in an effort to access Bamboo

      There could be an option, toggle, or switch, to disable the X-Seraph-LoginReason header to prevent this value from being returned or the response values could align in a way that does not differentiate if a user exists.

      Workaround

      No work around is currently available at this time.

            851f15845f55 Mateusz Szmal
            jowen@atlassian.com Jeremy Owen
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: