Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-3403 — Incorrect Authorization in Atlassian Jira

CWE-863 — Incorrect Authorization6 documents5 sources

Severity

5.3MEDIUMNVD

EPSS

82.8%

top 0.75%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Atlassian Jira Atlassian Jira Server

Timeline

PublishedMay 22

Latest updateMay 24

Description

The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5atlassian/jiraunspecified — 7.13.3+4

▶NVDatlassian/jira< 7.13.3

▶NVDatlassian/jira_server8.0.0 — 8.0.4+1

🔴Vulnerability Details

GHSA

GHSA-6jvq-7cj3-36wh: The /rest/api/2/user/picker rest resource in Jira before version 7↗2022-05-24

▶

CVEList

CVE-2019-3403: The /rest/api/2/user/picker rest resource in Jira before version 7↗2019-05-22

▶

💥Exploits & PoCs

Nuclei

Jira - Incorrect Authorization

▶

💬Community

HackerOne

CVE-2019-3403 on https://████/rest/api/2/user/picker?query=↗2021-06-03

▶

HackerOne

Information disclosure on sim.starbucks.com↗2019-11-13

▶