Talos Vulnerability Report

TALOS-2019-0839

Atlassian Jira issueTable username information disclosure vulnerability

September 16, 2019
CVE Number

CVE-2019-8446

Summary

An username information disclosure vulnerability exists in Atlassian Jira, from versions 7.6.4 to 8.1.0. Anonymous users can differentiate between valid usernames and invalid usernames via /rest/issueNav/1/issueTable API endpoint.

Tested Versions

Atlassian Jira 7.6.4 Atlassian Jira 8.1.0

Product URLs

https://www.atlassian.com/software/jira

CVSSv3 Score

5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-862 - Missing Authorization

Details

An attacker can use this vector to identify usernames for valid accounts. This does not require a valid session.

Exploit Proof-of-Concept

Submit a POST to /rest/issueNav/1/issueTable with the following body:

jql=project in projectsLeadByUser("<USER>")

replacing <USER> with a possibly valid username. Any other function that takes a username as a parameter can also be used, not just projectsLeadByUser().

A response status code of 400 containing "...the user does not exist..." indicates the username is not valid.

A response status code of 200 containing a valid JSON issueTable object indicates the username is valid.

Timeline

2019-05-14 - Vendor Disclosure
2019-08-14 - Vendor Patched
2019-09-16 - Public Release

Credit

Discovered by Ben Taylor of Cisco ASIG.