CVE-2020-14181

Category: [Username Enumeration]

module name: check_cve_2020_14181

url: /secure/ViewUserHover.jspa?username=ishouldntexist

Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /[secure]/ViewUserHover.jspa endpoint. This vulnerability was discovered by Mikhail Klyuchnikov of Positive Technologies.

Affected versions:

version < 7.13.16
8.0.0 ≤ version < 8.5.7
8.6.0 ≤ version < 8.12.0

Fixed versions:

7.13.16
8.5.7
8.12.0

ref: https://jira.atlassian.com/browse/JRASERVER-71560

---

[CG] Because Bug Bounty people are fucking stupid...most of the PoCs look for:

{url}secure/ViewUserHover.jspa?username=admin

then check for HTTP 200 and the presence of the word "admin"

WELL...JIRA will give you 200 on the page for patched system and "admin" is listed a million times in the page and javascript. So not helpful to determine vulnerable vs non-vulnerable

So instead this module will check for "User does not exist" within the response body with the url {url}secure/ViewUserHover.jspa?username=ishouldntexist"

Vulnerable version

+ [Username Enumeration] CVE-2020-14181 Detected 
  URL: https://jira/secure/ViewUserHover.jspa?username=ishouldntexist

In this case the user sysadmin exists!

A patched version won't have the "User does not exist" in the response

- No CVE-2020-14181 vulnerability detected on: http://jira/secure/ViewUserHover.jspa?username=ishouldntexist
- HTTP Status Code: 200