Bug 1748185 (CVE-2019-14840)

Summary: CVE-2019-14840 Business-central: Sensitive HTML Form Fields like Password has auto-complete Enabled
Product: [Other] Security Response Reporter: Paramvir jindal <pjindal>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: akoufoud, alazarot, almorale, anstephe, etirelli, ibek, jstastny, krathod, kverlaen, mnovotny, pjindal, rrajasek, rsynek, sdaley, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 09:53:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1744775, 1941988    

Description Paramvir jindal 2019-09-03 06:21:38 UTC 
autocomplete=off is not present in the password field or at the form level in the login page source code:

---------------
<form class="form-horizontal" role="form" action="j_security_check?locale=en_US" method="POST">
                    <div class="form-group">
                        <label for="j_username" class="col-sm-2 col-md-2 control-label">Username</label>
                        <div class="col-sm-10 col-md-10">
                            <input type="text" class="form-control" value="" name="j_username" id="j_username" placeholder="" tabindex="1" autofocus />
                        </div>
                    </div>
                    <div class="form-group">
                        <label for="j_password" class="col-sm-2 col-md-2 control-label">Password</label>
                        <div class="col-sm-10 col-md-10">
                            <input type="password" class="form-control" id="j_password" name="j_password" placeholder="" tabindex="2">
                        </div>
                    </div>
                    <div class="form-group">
                        <div class="col-xs-offset-8 col-xs-4 col-sm-offset-8 col-sm-4 col-md-offset-8 col-md-4 submit">
                            <button type="submit" class="btn btn-primary btn-lg" tabindex="3">Sign In</button>
                        </div>
                    </div>
                </form>
--------------

Solution:

Disable autocomplete for all sensitive fields like: 

<input type="password" autocomplete="off" name="pw">

If there are many fields, it may be faster to set the "autocomplete" attribute to "off" in the outer <form> tag. For
example:

<form action="/login.jsp" autocomplete="off" name="pw">
<input type="password" name="pw">
</form>