Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 7.13.11, 7.19.3, 7.20.1
Affects Version/s: 7.4.8
Component/s: Security
Labels:

Support reference count:
1
Symptom Severity:
Severity 3 - Minor
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Issue Summary

Under certain conditions it's possible to enumerate valid usernames by replaying one of the password reset HTTP requests.

Steps to Reproduce

Request a password reset email
Open the password reset mail and click the link to open your browser
Intercept the POST request of the actual password entry saving (ie; Enter password twice and save, that is the request to capture.)
Replay that post after change the email in the request URI
It will validate whether that account does not exist or if it does

Expected Results

It should not be possible to determine valid usernames by replaying requests.

Actual Results

By replaying the mentioned request it is possible to confirm valid usernames.

Workaround

A suggestion was made 'The main problem is that the username is checked before the reset-token. It should be the other way around, so if you do not have a valid token you always get the same error message.'

Attachments

Issue Links

follows: VULN-633020 Loading...

links to

Original (master branch) ticket on AsecJ > VULN

Activity

People

Assignee:: Unassigned

Reporter:: Danny (Inactive)

Votes:: 1 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Due:: 11/Jun/2022

Created:: 29/Sep/2021 2:59 PM

Updated:: 23/Nov/2022 11:39 AM

Resolved:: 23/Nov/2022 11:22 AM