-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Medium
-
Component/s: None
-
6
An attacker is able to perform bruteforce attacks via the applinks servlet. There is no captcha protection, nor do accounts get locked out after excessive attempts.
The attacker can input a username, and perform bruteforce attacks on the login form. The core issue is that there is no login attempt limitation for an attacker.
The bruteforce attack can be executed through the form on:
https://example.com/plugins/servlet/applinks/login on a standard JIRA installation.
This vulnerability was reported by Nir Goldshlager ngoldshlager@salesforce.com.
- causes
-
-
- Closed
-
-
BDEV-5818 Loading...
- is blocked by
-
-
- Closed
-
-
- is related to
-
JRASERVER-39307 Show minimum required privileges on login screen
- Closed
- has action
-
- mentioned in
-
-
-
-
-
-
-
-
- was cloned as
-
