Details
-
Bug
-
Resolution: Fixed
-
Low
-
7.16.3, 7.21.7, 8.5.1, 8.6.1
-
None
-
1
-
Severity 3 - Minor
-
1
-
Description
Issue Summary
It is possible to check if a user exists in Bitbucket (either internal or external directories) on a login page by typing a username & incorrect password combination.
This is reproducible on Data Center: (yes)
Steps to Reproduce
- Go to the Bitbucket logging page.
- Try to log in with a user that exists in any of the Bitbucket user's directories.
- Try to log in with a user that doesn't exist in any of the Bitbucket user's directories.
Expected Results
Error messages in both cases are the same:
Actual Results
Error messages are different in both cases allowing usernames discovery:
User exists in a directory:
User doesn't exist in a directory:
Workaround
Currently, there is no known workaround for this behavior. A workaround will be added here when available
Attachments
Issue Links
- mentioned in
-
Page Loading...