Atlassian Jira Viewuserhover Jspa User Information Leakage Vulnerability Cve 2020 14181
Atlassian Jira Viewuserhover Jspa User Information Leakage Vulnerability Cve 2020 14181
Atlassian Jira ViewUserHover.jspa User Information Leakage Vulnerability CVE-2020-14181
Vulnerability Description
Jira has an unauthorized access vulnerability. Unauthorized users can directly query the existence of a username through an API interface. This interface is different from the interfaces of CVE-2019-8446 and CVE-2019-3403 and is a new interface.
Vulnerability Impact
Atlassian Jira < 7.13.6
Atlassian Jira 8.0.0 - 8.5.7
Atlassian Jira 8.6.0 - 8.12.0
Network surveying and mapping
app=”Jira”
Vulnerability reappears
Open the main interface and pay attention to whether the Jira version in the logo is influential
Use POC to verify whether the username exists
1
/secure/ViewUserHover.jspa?username=admin
If the username does not exist, it will return
The existing username will return
No vulnerability will return
##
This post is licensed under CC BY 4.0 by the author.