Details
-
Bug
-
Resolution: Fixed
-
Low
-
5.0.1, 5.1.3
-
1
-
Severity 3 - Minor
-
2
-
Description
Summary
The AuthenticationFailureEvent is logged in the audit log when the clone is performed by using a clone string containing only the username
Steps to Reproduce
- Perform a clone using http as protocol
- Make sure that the clone URL contains the username and no password (e.g git clone http://<username>@<bitbucket_url>:<bitbucket_port>/scm/<project_key>/<repository_slug>.git)
Expected Results
No AuthenticationFailureEvent is logged.
Actual Results
The below line is logged in the atlassian-bitbucket-audit.log file:
<source_ip> | AuthenticationFailureEvent | <username> | 1499322505203 | <username> | {"authentication-method":"basic","error":"Invalid username or password."} | <session_id> | -
Workaround
Use one of the following options for cloning:
- Use ssh as a protocol
- Provide the password in the clone string when using http (e.g git clone http://<username>:<password>@<bitbucket_url>:<bitbucket_port>/scm/<project_key>/<repository_slug>.git)
- Don't provide the username when performing the clone, the user interface will prompt for it (e.g git clone http://<bitbucket_url>:<bitbucket_port>/scm/<project_key>/<repository_slug>.git)
- Update the audit log level to NONE, this will disable the audit logging feature entirely