Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Medium
Component/s: None
Labels:

CVSS Score:
6
Bug Fix Policy:
View Atlassian Cloud bug fix policy

Description

An attacker is able to perform bruteforce attacks via the applinks servlet. There is no captcha protection, nor do accounts get locked out after excessive attempts.

The attacker can input a username, and perform bruteforce attacks on the login form. The core issue is that there is no login attempt limitation for an attacker.

The bruteforce attack can be executed through the form on:
https://example.com/plugins/servlet/applinks/login on a standard JIRA installation.

This vulnerability was reported by Nir Goldshlager ngoldshlager@salesforce.com.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List

newapplauth1.png
48 kB
16/Jul/2014 6:39 AM
newapplauth2.png
37 kB
16/Jul/2014 6:39 AM

Issue Links

causes

CONFSERVER-34310 Upgrade to Application Links 4.2.4, SAL 2.12.2+

Closed

BDEV-5818 Loading...

is blocked by

SER-198 Support user role and page capabilities in login url

Closed

SAL-265 Loading...

is related to

JRASERVER-39307 Show minimum required privileges on login screen

Closed

has action: BDEV-8917 Loading...

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

was cloned as: APL-1215 Loading...

(1 has action, 8 mentioned in, 1 was cloned as)

Activity

People

Assignee:: Oswaldo Hernandez (Inactive)

Reporter:: Nir Goldshlager

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 25/Jun/2014 11:54 PM

Updated:: 15/Aug/2019 5:32 AM

Resolved:: 11/Aug/2014 5:48 AM