Details
-
Suggestion
-
Resolution: Won't Fix
-
None
-
25
-
Description
This came out in a recent security scan our internal Cyber Security team ran against both UAT and Production Jira environments.
The Web server allows form based authentication without disabling the AutoComplete feature for the password field.
If the browser is used in a shared computing environment where more than one person may use the browser, then "autocomplete" values may be retrieved or submitted by an unauthorized user.
Contact the vendor to have the AutoComplete attribute disabled for the password field in all forms. The AutoComplete attribute should also be disabled for the user ID field.
Developers can add the following attribute to the form or input element: autocomplete="off"
This attribute prevents the browser from prompting the user to save the populated form values for later reuse.
We need a way to disable AutoComplete in the login screen from inside the Jira GUI or by any other means that is actually supported by Atlassian.
Attachments
Issue Links
- is related to
-
CONFSERVER-54157 Option for Autocomplete for username and password to be available on front end
- Closed