h3. Issue summary

The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
h3. Workaround

If upgrading Jira to 8.4.0 is not an option for now, then a temporary workaround consists in blocking this API endpoint on the Tomcat side by forcing it to return a 403 error.

The steps are:

Add to the file <jira-installation-directory>/atlassian-jira/WEB-INF/urlrewrite.xml the rule below, which will return a 403 error whenever someone who is not authenticated via Cookie (IE, normal browser access, or cookie based API calls) calls /rest/api/latest/groupuserpicker:

{code:java}
<rule>
<condition type=“session-attribute” name=“seraph_defaultauthenticator_user” operator=“notequal”>.+</condition>
<from>^(?s)/rest/api/.*/groupuserpicker</from>
<set type=“status”>403</set>
<to>null</to>
</rule>
{code}

Re-start Jira