Unauthenticated User Enumeration via UserPickerBrowser.jspa

Category: [Info Disclosure]

module name: check_unauthenticated_user_enumeration

url: /secure/popups/UserPickerBrowser.jspa

[CG] when this endpoint is publicly exposed a list of the JIRA users will be visible. You could use this for brute force attacks against the JIRA login page

---

Browse Users

Upon discovering an instance of Jira, one of the first things I like to do is check for anonymous access to the user picker functionality located at /secure/popups/UserPickerBrowser.jspa

The Issue

By default, it’s only accessible to authenticated users. This function is used to search for a user and assign them tasks. It is a complete list of every user’s username and email address. There are three standard user groups in Jira: Administrators, Jira Users, and Anyone. For one reason or another, an administrator may grant the ‘Anyone’ group access to this functionality. This grants anyone access to the function – even anonymous users.

ref: https://www.netspi.com/blog/technical-blog/web-application-pentesting/jira-information-gathering/

additional ref: https://logicbomb.medium.com/one-misconfig-jira-to-leak-them-all-including-nasa-and-hundreds-of-fortune-500-companies-a70957ef03c7