Details
-
Bug
-
Resolution: Fixed
-
Medium
-
None
-
6
-
Description
An attacker is able to perform bruteforce attacks via the applinks servlet. There is no captcha protection, nor do accounts get locked out after excessive attempts.
The attacker can input a username, and perform bruteforce attacks on the login form. The core issue is that there is no login attempt limitation for an attacker.
The bruteforce attack can be executed through the form on:
https://example.com/plugins/servlet/applinks/login on a standard JIRA installation.
This vulnerability was reported by Nir Goldshlager ngoldshlager@salesforce.com.
Attachments
Issue Links
- causes
-
CONFSERVER-34310 Upgrade to Application Links 4.2.4, SAL 2.12.2+
- Closed
-
BDEV-5818 Loading...
- is blocked by
-
SER-198 Support user role and page capabilities in login url
- Closed
-
SAL-265 Loading...
- is related to
-
JRASERVER-39307 Show minimum required privileges on login screen
- Closed
- has action
-
BDEV-8917 Loading...
- mentioned in
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
- was cloned as
-
APL-1215 Loading...