h3. Issue summary
The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
h3. Workaround
If upgrading Jira to 8.4.0 is not an option for now, then a temporary workaround consistsΒ in blocking this API endpoint on the Tomcat side by forcing it to return a 403 error.
The steps are:
{code:java}
<rule>
<condition type=βsession-attributeβ name=βseraph_defaultauthenticator_userβ operator=βnotequalβ>.+</condition>
<from>^(?s)/rest/api/.*/groupuserpicker</from>
<set type=βstatusβ>403</set>
<to>null</to>
</rule>
{code}