1748185 – (CVE-2019-14840) CVE-2019-14840 Business-central: Sensitive HTML Form Fields like Password has auto-complete Enabled

Bug 1748185 (CVE-2019-14840) - CVE-2019-14840 Business-central: Sensitive HTML Form Fields like Password has auto-complete Enabled

Summary: CVE-2019-14840 Business-central: Sensitive HTML Form Fields like Password has...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-14840
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1744775 1941988
TreeView+	depends on / blocked

Reported:	2019-09-03 06:21 UTC by Paramvir jindal
Modified:	2021-10-25 09:53 UTC (History)
CC List:	15 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-10-25 09:53:41 UTC
Embargoed:

Attachments	(Terms of Use)

Description Paramvir jindal 2019-09-03 06:21:38 UTC

autocomplete=off is not present in the password field or at the form level in the login page source code:

---------------
<form class="form-horizontal" role="form" action="j_security_check?locale=en_US" method="POST">
                    <div class="form-group">
                        <label for="j_username" class="col-sm-2 col-md-2 control-label">Username</label>
                        <div class="col-sm-10 col-md-10">
                            <input type="text" class="form-control" value="" name="j_username" id="j_username" placeholder="" tabindex="1" autofocus />
                        </div>
                    </div>
                    <div class="form-group">
                        <label for="j_password" class="col-sm-2 col-md-2 control-label">Password</label>
                        <div class="col-sm-10 col-md-10">
                            <input type="password" class="form-control" id="j_password" name="j_password" placeholder="" tabindex="2">
                        </div>
                    </div>
                    <div class="form-group">
                        <div class="col-xs-offset-8 col-xs-4 col-sm-offset-8 col-sm-4 col-md-offset-8 col-md-4 submit">
                            <button type="submit" class="btn btn-primary btn-lg" tabindex="3">Sign In</button>
                        </div>
                    </div>
                </form>
--------------

Solution:

Disable autocomplete for all sensitive fields like: 

<input type="password" autocomplete="off" name="pw">

If there are many fields, it may be faster to set the "autocomplete" attribute to "off" in the outer <form> tag. For
example:

<form action="/login.jsp" autocomplete="off" name="pw">
<input type="password" name="pw">
</form>

Note You need to log in before you can comment on or make changes to this bug.