Failed login attempts from an anonymous user can trigger captcha for all users

XMLWordPrintable

    • Type: Bug
    • Resolution: Fixed
    • Priority: Medium
    • 7.17.0
    • Affects Version/s: 7.4.8, 7.13.0, 7.13.7, 7.13.8
    • Component/s: User - Management
    • None
    • 5
    • Severity 2 - Major
    • 14

      The fix for this bug will be released to our Long Term Support release.

      The fix for this bug has been approved for backport and will be available in an upcoming 7.13 release of Confluence. Check the fix-version field for details.

      Problem

      Failed login attempt from anonymous users can trigger captcha for all users.

      Environment

      Confluence v7.13

      Steps to Reproduce

      Attempt to login to Confluence via the following endpoint multiple times; Usually 3, which is the default limit before captcha is triggered.

      curl -X POST \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'os_username=&os_password=test&login=Log+in&os_destination=' \
'<Confluence_Base_URL>/dologin.action'

      Expected Results

      The login will fail, although, the login page for all other users in Confluence shouldn't be impacted.

      Actual Results

      A captcha is seen for any login page in Confluence. All users in Confluence will have to enter captcha to login.

      Workaround

      There are a couple of workarounds for this,

      • Restart Confluence
      • Flush cache for logins
        • General Configuration > Cache Management > Login Manager - Login attempts for unknown users > Flush

            Assignee:
            James Ponting
            Reporter:
            Hassan Aftab
            Votes:
            21 Vote for this issue
            Watchers:
            23 Start watching this issue

              Created:
              Updated:
              Resolved: