Brute force protection on JIRA 4.1 leaks valid account names

2010-04-19T00:57:41
ID ATLASSIAN:JRACLOUD-21036
Type atlassian
Reporter pkorathota
Modified 2019-04-16T03:54:07

Description

{panel:bgColor=#e7f4fa} NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? [See the corresponding suggestion|http://jira.atlassian.com/browse/JRASERVER-21036]. {panel}

The brute force login protection in JIRA only activates when a real user account is accessed. This can be used by an attacker to harvest a list of valid logins on the system.

The brute force login protection should activate when either the login or the password is wrong.