CVE-2019-3401
published 2019-05-22CVE-2019-3401: The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an…
PriorityP348medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
12.72%
95.8th percentile
The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| atlassian | jira | < 7.13.3 | 7.13.3 |
| atlassian | jira | >= 8.0.0 < unspecified | unspecified |
| atlassian | jira | >= unspecified < 7.13.3 | 7.13.3 |
| atlassian | jira | >= unspecified < 8.1.1 | 8.1.1 |
| atlassian | jira_server | >= 8.0.0 < 8.1.1 | 8.1.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Send a GET request to /secure/ManageFilters.jspa?filter=popular&filterView=popular and check the response for both the string '' and 'Manage Filters - Jira' to confirm unauthenticated access to the ManageFilters resource, indicating username enumeration exposure. ↗
- →Shodan queries can be used to identify exposed Jira instances as potential targets: search for http.component:"Atlassian Jira" or cpe:"cpe:2.3:a:atlassian:jira". ↗
- →The vulnerability affects Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1; scope detection to these version ranges. ↗
- ·Disabling anonymous/public access via Global Permissions mitigates the exposure but does NOT retroactively fix already-shared public filters and dashboards — those must be updated manually. ↗
- ·A dark feature to disable site-wide anonymous access was introduced in Jira 7.2.10 and can serve as a workaround on unpatched instances. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Atlassian Jira <7.13.3/8.0.0-8.1.1 - Incorrect Authorization
nuclei·CVSS 5.3
CVE-2019-3401 [MEDIUM] Atlassian Jira <7.13.3/8.0.0-8.1.1 - Incorrect Authorization
Atlassian Jira System > Global Permissions. Turning the feature off will not affect existing filters and dashboards. If you change this setting, you will still need to update the existing filters and dashboards if they have already been shared publicly. Since Jira 7.2.10, a dark feature to disable site-wide anonymous access was introduced.
reference:
- https://jira.atlassian.com/browse/JRASERVER-69244
- https://nvd.nist.gov/vuln/detail/CVE-2019-3401
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2019-3401
cwe-id: CWE-863
epss-score: 0.65975
epss-percentile: 0.98515
cpe: cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: atlassian
product: jira
shodan-query:
- http.component:"Atlassian Jira"
- http.component:"atl
2019-05-22
Published