cbcvebase.
CVE-2019-3403
published 2019-05-22

CVE-2019-3403: The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1…

PriorityP357medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
52.64%
98.8th percentile
The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.

Affected

8 ranges
VendorProductVersion rangeFixed in
atlassianjira< 7.13.37.13.3
atlassianjira>= 8.0.0 < unspecifiedunspecified
atlassianjira>= 8.1.0 < unspecifiedunspecified
atlassianjira>= unspecified < 7.13.37.13.3
atlassianjira>= unspecified < 8.0.48.0.4
atlassianjira>= unspecified < 8.1.18.1.1
atlassianjira_server>= 8.0.0 < 8.0.48.0.4
atlassianjira_server>= 8.1.0 < 8.1.18.1.1

Detection & IOCsextracted from sources · hover to see the quote

url/rest/api/2/user/picker?query=
path/rest/api/2/user/picker
  • Unauthenticated GET request to /rest/api/2/user/picker?query= returning HTTP 200 with JSON body containing 'total' and 'header' keys indicates successful username enumeration via CVE-2019-3403.
  • A JSON response body containing both '"total":' and '"header":' keys (with content-type application/json) to an unauthenticated request confirms the vulnerable endpoint is exposed.
  • Filter out false positives: a response body containing 'total":0' indicates no users found and should be treated as negative/non-exploitable.
  • Shodan queries 'http.component:"Atlassian Jira"' and 'cpe:"cpe:2.3:a:atlassian:jira"' can be used to identify internet-exposed Jira instances for proactive scanning.
  • The vulnerability is exploitable without authentication (PR:N, UI:N per CVSS), so any unauthenticated access to the picker endpoint from external IPs should be alerted on.
  • ·Affected versions are Jira < 7.13.3, 8.0.0 – 8.0.3, and 8.1.0 only; patched versions (7.13.3+, 8.0.4+, 8.1.1+) are not vulnerable — version-check before alerting.
  • ·EPSS score of 0.828 (99.245th percentile) indicates very high real-world exploitation probability; prioritise detection and patching accordingly.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.