cbcvebase.
CVE-2019-3401
published 2019-05-22

CVE-2019-3401: The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an…

PriorityP348medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
12.72%
95.8th percentile
The ManageFilters.jspa resource in Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.

Affected

5 ranges
VendorProductVersion rangeFixed in
atlassianjira< 7.13.37.13.3
atlassianjira>= 8.0.0 < unspecifiedunspecified
atlassianjira>= unspecified < 7.13.37.13.3
atlassianjira>= unspecified < 8.1.18.1.1
atlassianjira_server>= 8.0.0 < 8.1.18.1.1

Detection & IOCsextracted from sources · hover to see the quote

url/secure/ManageFilters.jspa?filter=popular&filterView=popular
  • Send a GET request to /secure/ManageFilters.jspa?filter=popular&filterView=popular and check the response for both the string '' and 'Manage Filters - Jira' to confirm unauthenticated access to the ManageFilters resource, indicating username enumeration exposure.
  • Shodan queries can be used to identify exposed Jira instances as potential targets: search for http.component:"Atlassian Jira" or cpe:"cpe:2.3:a:atlassian:jira".
  • The vulnerability affects Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1; scope detection to these version ranges.
  • ·Disabling anonymous/public access via Global Permissions mitigates the exposure but does NOT retroactively fix already-shared public filters and dashboards — those must be updated manually.
  • ·A dark feature to disable site-wide anonymous access was introduced in Jira 7.2.10 and can serve as a workaround on unpatched instances.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.