Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 7.17.13, 7.21.7, 8.6.0
Affects Version/s: 7.16.3, 7.21.7, 8.5.1, 8.6.1
Component/s: Crowd, Security - Other
Labels:
None

Support reference count:
1
Symptom Severity:
Severity 3 - Minor
UIS:
1
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Issue Summary

It is possible to check if a user exists in Bitbucket (either internal or external directories) on a login page by typing a username & incorrect password combination.

This is reproducible on Data Center: (yes)

Steps to Reproduce

Go to the Bitbucket logging page.
Try to log in with a user that exists in any of the Bitbucket user's directories.
Try to log in with a user that doesn't exist in any of the Bitbucket user's directories.

Expected Results

Error messages in both cases are the same:

Actual Results

Error messages are different in both cases allowing usernames discovery:

User exists in a directory:

User doesn't exist in a directory:

Workaround

Currently, there is no known workaround for this behavior. A workaround will be added here when available

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

image-2022-11-22-11-59-14-913.png
21 kB
22/Nov/2022 10:59 AM
image-2022-11-22-11-59-52-670.png
21 kB
22/Nov/2022 10:59 AM
image-2022-11-22-12-00-24-561.png
29 kB
22/Nov/2022 11:00 AM

Issue Links

mentioned in: Page Loading...

Activity

People

Assignee:: Unassigned

Reporter:: Tomasz Tokarczuk (Inactive)

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 22/Nov/2022 11:16 AM

Updated:: 19/Jan/2023 11:24 PM

Resolved:: 24/Nov/2022 3:45 AM