User enumeration via an incorrect authorisation in Jira

Published on
10 Jan 2022
Vulnerability

Description

Remote attackers can enumerate usernames by using the /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 by the help of incorrect authorisation check.

Recommendations

  • Update Jira to the latest version
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days