Brute force protection on JIRA 4.1 leaks valid account names

Type atlassian
Reporter pkorathota
Modified 2019-04-16T03:54:07


{panel:bgColor=#e7f4fa} NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? [See the corresponding suggestion|]. {panel}

The brute force login protection in JIRA only activates when a real user account is accessed. This can be used by an attacker to harvest a list of valid logins on the system.

The brute force login protection should activate when either the login or the password is wrong.