CVE-2019-3403
published 2019-05-22CVE-2019-3403: The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1…
PriorityP357medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
52.64%
98.8th percentile
The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| atlassian | jira | < 7.13.3 | 7.13.3 |
| atlassian | jira | >= 8.0.0 < unspecified | unspecified |
| atlassian | jira | >= 8.1.0 < unspecified | unspecified |
| atlassian | jira | >= unspecified < 7.13.3 | 7.13.3 |
| atlassian | jira | >= unspecified < 8.0.4 | 8.0.4 |
| atlassian | jira | >= unspecified < 8.1.1 | 8.1.1 |
| atlassian | jira_server | >= 8.0.0 < 8.0.4 | 8.0.4 |
| atlassian | jira_server | >= 8.1.0 < 8.1.1 | 8.1.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Unauthenticated GET request to /rest/api/2/user/picker?query= returning HTTP 200 with JSON body containing 'total' and 'header' keys indicates successful username enumeration via CVE-2019-3403.
- →A JSON response body containing both '"total":' and '"header":' keys (with content-type application/json) to an unauthenticated request confirms the vulnerable endpoint is exposed. ↗
- →Filter out false positives: a response body containing 'total":0' indicates no users found and should be treated as negative/non-exploitable.
- →Shodan queries 'http.component:"Atlassian Jira"' and 'cpe:"cpe:2.3:a:atlassian:jira"' can be used to identify internet-exposed Jira instances for proactive scanning.
- →The vulnerability is exploitable without authentication (PR:N, UI:N per CVSS), so any unauthenticated access to the picker endpoint from external IPs should be alerted on.
- ·Affected versions are Jira < 7.13.3, 8.0.0 – 8.0.3, and 8.1.0 only; patched versions (7.13.3+, 8.0.4+, 8.1.1+) are not vulnerable — version-check before alerting. ↗
- ·EPSS score of 0.828 (99.245th percentile) indicates very high real-world exploitation probability; prioritise detection and patching accordingly.
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Jira - Incorrect Authorization
nuclei·CVSS 5.3
CVE-2019-3403 [MEDIUM] Jira - Incorrect Authorization
Jira - Incorrect Authorization
Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 is susceptible to an incorrect authorization check in the /rest/api/2/user/picker rest resource, enabling an attacker to enumerate usernames and gain improper access.
Template:
id: CVE-2019-3403
info:
name: Jira - Incorrect Authorization
author: Ganofins
severity: medium
description: Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 is susceptible to an incorrect authorization check in the /rest/api/2/user/picker rest resource, enabling an attacker to enumerate usernames and gain improper access.
impact: |
This vulnerability can lead to unauthorized access to sensitive data, potenti
HackerOne
CVE-2019-3403 on https://████/rest/api/2/user/picker?query=
hackerone·2021-06-03·CVSS 5.3
CVE-2019-3403 [MEDIUM] CVE-2019-3403 on https://████/rest/api/2/user/picker?query=
CVE-2019-3403 on https://████/rest/api/2/user/picker?query=
**Description:**
The endpoint at
```
https://████████/rest/api/2/user/picker?query=
```
Suffers from
CVE-2019-3403
Due to old version of jira.
{F125281}
## References
https://nvd.nist.gov/vuln/detail/CVE-2019-3403
~@naglinagli
## Impact
The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
## System Host(s)
███
## Affected Product(s) and Version(s)
## CVE Numbers
## Steps to Reproduce
Navigate to https://██████/rest/api/2/user/picker?query=admin
## Suggested Mitigation/Remediation Actions
Update the jira version
HackerOne
Information disclosure on sim.starbucks.com
hackerone·2019-11-13·CVSS 5.3
CVE-2019-3403 [MEDIUM] Information disclosure on sim.starbucks.com
Information disclosure on sim.starbucks.com
**Description:**
Hi,there.I found the sim.starbucks.com host deployed the jira server which version is 7.9.2,there is many public vulnerability on this low version.
**Information disclosured vulnerability**
1.(CVE-2019-3403)https://jira.atlassian.com/browse/JRASERVER-69242
visit the URL address,you can check the user whether is exist on this host
```
https://sim.starbucks.com/rest/api/2/user/picker?query=admin
```
So the attacker can enumerate all existing users on this jira server.
2.(CVE-2019-8442)https://jira.atlassian.com/browse/JRASERVER-69241
visit the URL address,the server will leaking some server's information
```
https://sim.starbucks.com/s/thiscanbeanythingyouwant/_/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml
```
2019-05-22
Published