cbcvebase.
CVE-2020-14181
published 2020-09-17

CVE-2020-14181: Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the…

PriorityP264medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
99.60%
99.9th percentile
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, and from version 8.6.0 before 8.12.0.

Affected

11 ranges
VendorProductVersion rangeFixed in
atlassiandata_center< 7.13.67.13.6
atlassiandata_center>= 8.0.0 < 8.5.78.5.7
atlassiandata_center>= 8.6.0 < 8.12.08.12.0
atlassianjira< 7.13.67.13.6
atlassianjira_server>= 8.0.0 < unspecifiedunspecified
atlassianjira_server>= 8.0.0 < 8.5.78.5.7
atlassianjira_server>= 8.6.0 < unspecifiedunspecified
atlassianjira_server>= 8.6.0 < 8.12.08.12.0
atlassianjira_server>= unspecified < 7.13.67.13.6
atlassianjira_server>= unspecified < 8.5.78.5.7
atlassianjira_server>= unspecified < 8.12.08.12.0

Detection & IOCsextracted from sources · hover to see the quote

url/secure/ViewUserHover.jspa?username=
path/secure/ViewUserHover.jspa
commandGET /secure/ViewUserHover.jspa?username={username}
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible Jira User Enumeration Attempts (CVE-2020-14181)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ViewUserHover.jspa?username="; fast_pattern; threshold: type limit, count 30, seconds 45, track by_src; reference:cve,2020-14181; classtype:attempted-recon; sid:2031066; rev:2; metadata:created_at 2020_10_21, cve CVE_2020_14181, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Moderate, confidence Medium, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_10_21;)
  • Detect user enumeration attempts by monitoring for repeated GET requests to /ViewUserHover.jspa?username= — the Snort/ET rule triggers on 30 requests within 45 seconds from the same source IP.
  • A vulnerable server will respond WITHOUT the string 'User does not exist' for valid usernames, and WITH it for invalid ones — differential response analysis can confirm exploitation.
  • Nuclei template detection: look for HTTP 200 responses to GET /secure/ViewUserHover.jspa containing both 'user-hover-details' and 'content="JIRA"' in the response body.
  • Shodan queries 'http.component:"Atlassian Jira"' and 'http.component:"atlassian jira"' can be used to identify internet-exposed Jira instances for proactive asset discovery.
  • The exploit requires no authentication — any unauthenticated GET request to the endpoint with a username parameter is sufficient to probe for valid accounts.
  • ·The Snort/ET rule (sid:2031066) uses a threshold of 30 requests in 45 seconds per source IP — low-and-slow enumeration campaigns below this rate will evade the rule.
  • ·The Metasploit module was tested only on specific versions (8.4.1, 8.5.6, 8.10.1, 8.11.0); behavior on other affected versions may differ.
  • ·The Nuclei template only confirms the endpoint is reachable and returns Jira-specific content (max-request: 1); it does not confirm active exploitation or successful enumeration.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.