Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-8449Missing Authentication for Critical Function in Atlassian Jira

CWE-306Missing Authentication for Critical FunctionCWE-200Sensitive Information Exposure6 documents6 sources
Severity
5.3MEDIUMNVD
EPSS
71.1%
top 1.29%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Atlassian Jira
Timeline
PublishedSep 11
Latest updateMay 24

Description

The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

CVEListV5atlassian/jiraunspecified8.4.0
NVDatlassian/jira< 8.4.0

🔴Vulnerability Details

3
GHSA
GHSA-8wr9-r69x-g268: The /rest/api/latest/groupuserpicker resource in Jira before version 82022-05-24
OSV
squid, squid3 vulnerabilities2020-02-20
CVEList
CVE-2019-8449: The /rest/api/latest/groupuserpicker resource in Jira before version 82019-09-11

💥Exploits & PoCs

2
Exploit-DB
Jira 8.3.4 - Information Disclosure (Username Enumeration)2020-02-03
Nuclei
Jira <8.4.0 - Information Disclosure
CVE-2019-8449 — Atlassian Jira vulnerability | cvebase