Status: Closed (View Workflow)
NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.
Shared filters page shows usernames of filter owners, even for not logged users. This is not desirable since an attacker can utilize the usernames for in a brute force or dictionary attack.
Steps to reproduce:
- As an unauthenticated user, run a search for any term.
- The results pages has a "Find Filters" link
- Clicking on the "Find Filters" link redirects to a page with an option for "Popular".
- Clicking "Popular" lists filters "Shared with all users" and the usernames of authors of those filters.
Hide the owner of the filter when an unauthenticated user tries to search for it. Alternatively, you can consider hiding only the username of the owner and show only its complete name.
- is related to
JRASERVER-65380 Anonymous user is unable to access Manage Dashboard page via UI
- Gathering Impact
- relates to
JRACLOUD-43960 Shared filters page display username of filter owners for public
- mentioned in