2021-06-24 11:22:04 +00:00
id : CVE-2019-3401
2020-07-06 15:56:34 +00:00
info :
2023-02-01 16:00:45 +00:00
name : Atlassian Jira <7.13.3/8.0.0-8.1.1 - Incorrect Authorization
2021-06-24 11:22:04 +00:00
author : TechbrunchFR,milo2012
2021-09-10 11:26:40 +00:00
severity : medium
2023-02-01 16:00:45 +00:00
description : Atlasssian Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 is susceptible to incorrect authorization. The ManageFilters.jspa resource allows a remote attacker to enumerate usernames via an incorrect authorization check, thus possibly obtaining sensitive information, modifying data, and/or executing unauthorized operations.
2023-09-06 12:53:28 +00:00
remediation : Ensure this permission is restricted to specific groups that require it via Administration > System > Global Permissions. Turning the feature off will not affect existing filters and dashboards. If you change this setting, you will still need to update the existing filters and dashboards if they have already been shared publicly. Since Jira 7.2.10, a dark feature to disable site-wide anonymous access was introduced.
2022-04-22 10:38:41 +00:00
reference :
- https://jira.atlassian.com/browse/JRASERVER-69244
2023-02-01 16:00:45 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2019-3401
2021-09-10 11:26:40 +00:00
classification :
2022-05-17 09:18:12 +00:00
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
2022-04-22 10:38:41 +00:00
cvss-score : 5.3
2021-09-10 11:26:40 +00:00
cve-id : CVE-2019-3401
2022-05-17 09:18:12 +00:00
cwe-id : CWE-863
2023-04-12 10:55:48 +00:00
epss-score : 0.0055
2023-11-06 12:42:20 +00:00
epss-percentile : 0.74989
2023-09-06 12:53:28 +00:00
cpe : cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*
2022-07-04 13:18:41 +00:00
metadata :
2023-04-28 08:11:21 +00:00
max-request : 1
2023-07-11 19:49:27 +00:00
vendor : atlassian
product : jira
2023-09-06 12:53:28 +00:00
shodan-query : http.component:"Atlassian Jira"
2022-04-22 10:38:41 +00:00
tags : cve,cve2019,jira,atlassian,exposure
2020-07-06 15:58:12 +00:00
2023-04-27 04:28:59 +00:00
http :
2020-07-06 15:56:34 +00:00
- method : GET
path :
- "{{BaseURL}}/secure/ManageFilters.jspa?filter=popular&filterView=popular"
2023-07-11 19:49:27 +00:00
2020-07-06 15:56:34 +00:00
matchers :
- type : word
words :
2021-06-24 11:22:04 +00:00
- '<span data-filter-field="owner-full-name">'
- '<title>Manage Filters - Jira</title>'
condition : and
2020-07-06 15:56:34 +00:00
2023-02-02 23:05:19 +00:00
# Remediation:
# Ensure that this permission is restricted to specific groups that require it.
# You can restrict it in Administration > System > Global Permissions.
# Turning the feature off will not affect existing filters and dashboards.
# If you change this setting, you will still need to update the existing filters and dashboards if they have already been
# shared publicly.
2023-10-14 11:27:55 +00:00
# Since Jira 7.2.10, a dark feature to disable site-wide anonymous access was introduced.
2023-11-06 12:53:56 +00:00
# digest: 490a00463044022041d75fa88c105f71d4341b0c95aa345238343aeb23a5b43d57d14ce0981720ba0220188778149a3e927f4de6774581d2edaf137ae677bd20f008dae31adf59e3f636:922c64590222798bb761d5b6d8e72950