CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
97.0%
h3. Issue summary
The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
h3. Workaround
If upgrading Jira to 8.4.0 is not an option for now, then a temporary workaround consistsΒ in blocking this API endpoint on the Tomcat side by forcing it to return a 403 error.
The steps are:
{code:java}
<rule>
<condition type=βsession-attributeβ name=βseraph_defaultauthenticator_userβ operator=βnotequalβ>.+</condition>
<from>^(?s)/rest/api/.*/groupuserpicker</from>
<set type=βstatusβ>403</set>
<to>null</to>
</rule>
{code}
Vendor | Product | Version | CPE |
---|---|---|---|
atlassian | jira_data_center | * | cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
97.0%