CVE-2019-8446
An username information disclosure vulnerability exists in Atlassian Jira, from versions 7.6.4 to 8.1.0. Anonymous users can differentiate between valid usernames and invalid usernames via /rest/issueNav/1/issueTable API endpoint.
Atlassian Jira 7.6.4 Atlassian Jira 8.1.0
https://www.atlassian.com/software/jira
5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-862 - Missing Authorization
An attacker can use this vector to identify usernames for valid accounts. This does not require a valid session.
Submit a POST to /rest/issueNav/1/issueTable with the following body:
jql=project in projectsLeadByUser("<USER>")
replacing <USER> with a possibly valid username. Any other function that takes a username as a parameter can also be used, not just projectsLeadByUser().
A response status code of 400 containing “…the user does not exist…” indicates the username is not valid.
A response status code of 200 containing a valid JSON issueTable object indicates the username is valid.
2019-05-14 - Vendor Disclosure
2019-08-14 - Vendor Patched
2019-09-16 - Public Release
Discovered by Ben Taylor of Cisco ASIG.