[
https://issues.apache.org/jira/browse/OAK-7506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alex Deparvu updated OAK-7506:
------------------------------
Fix Version/s: 1.10
> Prevent user enumeration by exploiting time delay vulnerability
> ---------------------------------------------------------------
>
> Key: OAK-7506
> URL: https://issues.apache.org/jira/browse/OAK-7506
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: security
> Reporter: Alex Deparvu
> Assignee: Alex Deparvu
> Priority: Minor
> Fix For: 1.10
>
>
> Pasting here the improvement request: "If the server response is different
> for existing and not existing usernames, the attacker is able to enumerate
> valid usernames with guessing attacks. He is thereby able to focus his
> password guessing attacks to the existing accounts."
> The fix for this particular issue seems trivial, at the cost of making the
> login operation slower in the case the user doesn't actually exist.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
