Enumeration of usernames possible in Jira

XMLWordPrintable

    • 4.03
    • 5

      We found enumeration of usernames to be possible in Jira 4.3.4 despite the login failure message not revealing whether it was the username or password that was incorrect.

      After 3 failed login attempts a captcha appears only if the user exists, otherwise not. This allows an attacker to enumerate the usernames.

      Security issue found by Asbjørn Reglund Thorsen <a.r.thorsen@usit.uio.no> and Geir Harald Hansen <g.h.hansen@usit.uio.no>

              Assignee:
              Unassigned
              Reporter:
              Asbjørn Thorsen
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: