An username information disclosure vulnerability exists in Atlassian Jira, from versions 7.6.4 to 8.1.0. Anonymous users can differentiate between valid usernames and invalid usernames via
/rest/issueNav/1/issueTable API endpoint.
Atlassian Jira 7.6.4 Atlassian Jira 8.1.0
5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-862 - Missing Authorization
An attacker can use this vector to identify usernames for valid accounts. This does not require a valid session.
Submit a POST to
/rest/issueNav/1/issueTable with the following body:
jql=project in projectsLeadByUser("<USER>")
<USER> with a possibly valid username. Any other function that takes a username as a parameter can also be used, not just
A response status code of 400 containing “…the user does not exist…” indicates the username is not valid.
A response status code of 200 containing a valid JSON issueTable object indicates the username is valid.
2019-05-14 - Vendor Disclosure
2019-08-14 - Vendor Patched
2019-09-16 - Public Release
Discovered by Ben Taylor of Cisco ASIG.