Enumeration of usernames possible in Jira

XMLWordPrintable

    • 4.03
    • 5

      We found enumeration of usernames to be possible in Jira 4.3.4 despite the login failure message not revealing whether it was the username or password that was incorrect.

      After 3 failed login attempts a captcha appears only if the user exists, otherwise not. This allows an attacker to enumerate the usernames.

      Security issue found by Asbjørn Reglund Thorsen <a.r.thorsen@usit.uio.no> and Geir Harald Hansen <g.h.hansen@usit.uio.no>

            Assignee:
            Unassigned
            Reporter:
            Asbjørn Thorsen
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: