Details
-
Bug
-
Resolution: Fixed
-
Medium
-
6.4.1
-
6.04
-
7
-
Severity 2 - Major
-
17
-
Description
We use an Active Directory server for authenticating our JIRA users, and a MySQL server for storing our JIRA data.
We were extremely alarmed to discover that the username and password used for accessing the AD server are stored in cleartext in the MySQL database.
Anyone who is able to compromise the JIRA database would then be able obtain broader credentials on the network.
Since our JIRA database is hosted on a different machine than the JIRA application, it would be significantly more secure for the password to be enciphered with a key stored on the application's host machine.
We have mitigated this threat by using an account that has very limited permissions, but this still poses an unacceptable risk to our information security.
We strongly urge Atlassian to implement some sensible encryption of the LDAP/AD credentials such as suggested above.
Attachments
Issue Links
- duplicates
-
-
- Closed
-
- is related to
-
-
- Closed
-
-
CWD-1876 Encrypt all external system passwords in Crowd's database
- Closed
-
RM-7424 Loading...
- mentioned in
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- relates to
-
