id: CVE-2019-3401

info:
  name: Atlassian Jira <7.13.3/8.0.0-8.1.1 - Incorrect Authorization
  author: TechbrunchFR,milo2012
  severity: medium
  description: Atlasssian Jira before version 7.13.3 and from version 8.0.0 before version 8.1.1 is susceptible to incorrect authorization. The ManageFilters.jspa resource allows a remote attacker to enumerate usernames via an incorrect authorization check, thus possibly obtaining sensitive information, modifying data, and/or executing unauthorized operations.
  impact: |
    The vulnerability allows unauthorized users to access sensitive information or perform unauthorized actions.
  remediation: Ensure this permission is restricted to specific groups that require it via Administration > System > Global Permissions. Turning the feature off will not affect existing filters and dashboards. If you change this setting, you will still need to update the existing filters and dashboards if they have already been shared publicly. Since Jira 7.2.10, a dark feature to disable site-wide anonymous access was introduced.
  reference:
    - https://jira.atlassian.com/browse/JRASERVER-69244
    - https://nvd.nist.gov/vuln/detail/CVE-2019-3401
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2019-3401
    cwe-id: CWE-863
    epss-score: 0.0055
    epss-percentile: 0.7504
    cpe: cpe:2.3:a:atlassian:jira:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: atlassian
    product: jira
    shodan-query:
      - http.component:"Atlassian Jira"
      - http.component:"atlassian jira"
      - http.component:"atlassian confluence"
      - cpe:"cpe:2.3:a:atlassian:jira"
  tags: cve,cve2019,jira,atlassian,exposure

http:
  - method: GET
    path:
      - "{{BaseURL}}/secure/ManageFilters.jspa?filter=popular&filterView=popular"

    matchers:
      - type: word
        words:
          - '<span data-filter-field="owner-full-name">'
          - '<title>Manage Filters - Jira</title>'
        condition: and

# Remediation:
# Ensure that this permission is restricted to specific groups that require it.
# You can restrict it in Administration > System > Global Permissions.
# Turning the feature off will not affect existing filters and dashboards.
# If you change this setting, you will still need to update the existing filters and dashboards if they have already been
# shared publicly.
# Since Jira 7.2.10, a dark feature to disable site-wide anonymous access was introduced.
# digest: 4a0a00473045022100c9170f7bdd41f6dbe0f06d367172ecbd5cb49b7f8104efe60cf879d4be199f4102201491492580142a51c3153ed2fc616e93e49484152010d8f2c9dbcee3eac961c0:922c64590222798bb761d5b6d8e72950