CVE-2019-8449
published 2019-09-11CVE-2019-8449: The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure…
PriorityP359medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
84.77%
99.7th percentile
The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| atlassian | jira | < 8.4.0 | 8.4.0 |
| atlassian | jira | >= unspecified < 8.4.0 | 8.4.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Send a GET request to /rest/api/latest/groupuserpicker with parameters (e.g., query, maxResults, showAvatar). A vulnerable Jira instance (<8.4.0) will respond with HTTP 200 and a JSON body beginning with {"users":{"users": — confirming unauthenticated username enumeration. ↗
- →Match both HTTP 200 status code AND the response body containing the string {"users":{"users": to confirm exploitation of CVE-2019-8449. ↗
- →Shodan queries can be used to identify exposed Jira instances as targets: search for http.component:"Atlassian Jira" or cpe:"cpe:2.3:a:atlassian:jira". ↗
- →The exploit requires no authentication (PR:N, UI:N per CVSS). Any unauthenticated GET to the groupuserpicker endpoint with a query parameter is sufficient to trigger disclosure. ↗
- ·Vulnerability affects Jira versions 2.1 through 8.3.4 (fixed in 8.4.0). Confirm target version before testing; patched instances will not return the vulnerable JSON response. ↗
- ·If the endpoint does not return a JSON response, the instance may be patched or the domain/path is incorrect. The exploit script explicitly warns that a non-JSON response likely means the instance is not exploitable. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8wr9-r69x-g268: The /rest/api/latest/groupuserpicker resource in Jira before version 8
ghsa_unreviewed·2022-05-24
CVE-2019-8449 [MEDIUM] CWE-200 GHSA-8wr9-r69x-g268: The /rest/api/latest/groupuserpicker resource in Jira before version 8
The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
OSV
squid, squid3 vulnerabilities
osv·2020-02-20·CVSS 7.5
CVE-2019-12528 squid, squid3 vulnerabilities
squid, squid3 vulnerabilities
Jeriko One discovered that Squid incorrectly handled memory when connected
to an FTP server. A remote attacker could possibly use this issue to obtain
sensitive information from Squid memory. (CVE-2019-12528)
Regis Leroy discovered that Squid incorrectly handled certain HTTP
requests. A remote attacker could possibly use this issue to access server
resources prohibited by earlier security filters. (CVE-2020-8449)
Guido Vranken discovered that Squid incorrectly handled certain buffer
operations when acting as a reverse proxy. A remote attacker could use
this issue to cause Squid to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2020-8450)
Aaron Costello discovered that Squid incorrectly handled certain NTLM
authentication
No detection rules found.
Exploit-DB
Jira 8.3.4 - Information Disclosure (Username Enumeration)
exploitdb·2020-02-03·CVSS 5.3
CVE-2019-8449 [MEDIUM] Jira 8.3.4 - Information Disclosure (Username Enumeration)
Jira 8.3.4 - Information Disclosure (Username Enumeration)
---
# Exploit Title: Jira 8.3.4 - Information Disclosure (Username Enumeration)
# Date: 2019-09-11
# Exploit Author: Mufeed VH
# Vendor Homepage: https://www.atlassian.com/
# Software Link: https://www.atlassian.com/software/jira
# Version: 8.3.4
# Tested on: Pop!_OS 19.10
# CVE : CVE-2019-8449
# CVE-2019-8449 Exploit for Jira v2.1 - v8.3.4
# DETAILS :: https://www.cvedetails.com/cve/CVE-2019-8449/
# CONFIRM :: https://jira.atlassian.com/browse/JRASERVER-69796
#!/usr/bin/env python
__author__ = "Mufeed VH (@mufeedvh)"
import os
import requests
class CVE_2019_8449:
def ask_for_domain(self):
domain = raw_input("[>] Enter the domain of Jira instance: => ")
if domain == "":
print("\n[-] ERROR: domain is required\n")
self.ask_f
Nuclei
Jira <8.4.0 - Information Disclosure
nuclei·CVSS 5.3
CVE-2019-8449 [MEDIUM] Jira <8.4.0 - Information Disclosure
Jira <8.4.0 - Information Disclosure
Jira before 8.4.0 is susceptible to information disclosure. The /rest/api/latest/groupuserpicker resource can allow an attacker to enumerate usernames, and thereby potentially obtain sensitive information, modify data, and/or execute unauthorized operations.
Template:
id: CVE-2019-8449
info:
name: Jira <8.4.0 - Information Disclosure
author: harshbothra_
severity: medium
description: Jira before 8.4.0 is susceptible to information disclosure. The /rest/api/latest/groupuserpicker resource can allow an attacker to enumerate usernames, and thereby potentially obtain sensitive information, modify data, and/or execute unauthorized operations.
impact: |
An attacker can exploit this vulnerability to gain access to sensitive information.
remediation: |
Upgr
No writeups or analysis indexed.
2019-09-11
Published