Talos Vulnerability Report


Atlassian Jira issueTable username information disclosure vulnerability

September 16, 2019
CVE Number



An username information disclosure vulnerability exists in Atlassian Jira, from versions 7.6.4 to 8.1.0. Anonymous users can differentiate between valid usernames and invalid usernames via /rest/issueNav/1/issueTable API endpoint.

Tested Versions

Atlassian Jira 7.6.4 Atlassian Jira 8.1.0

Product URLs


CVSSv3 Score

5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N


CWE-862 - Missing Authorization


An attacker can use this vector to identify usernames for valid accounts. This does not require a valid session.

Exploit Proof-of-Concept

Submit a POST to /rest/issueNav/1/issueTable with the following body:

jql=project in projectsLeadByUser("<USER>")

replacing <USER> with a possibly valid username. Any other function that takes a username as a parameter can also be used, not just projectsLeadByUser().

A response status code of 400 containing “…the user does not exist…” indicates the username is not valid.

A response status code of 200 containing a valid JSON issueTable object indicates the username is valid.


2019-05-14 - Vendor Disclosure
2019-08-14 - Vendor Patched
2019-09-16 - Public Release


Discovered by Ben Taylor of Cisco ASIG.