Vulnerabilities > CVE-2019-3403 - Incorrect Authorization vulnerability in Atlassian Jira

CVSS 5.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

NONE

Availability impact

NONE

network

low complexity

atlassian

CWE-863

nessus

NVD

Published: 2019-05-22

Updated: 2022-03-25

Summary

The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.

Vulnerable Configurations

Part	Description	Count
Application	Atlassian Atlassian Jira - Atlassian Jira 2.1 Atlassian Jira 2.2 Atlassian Jira 2.2.1 Atlassian Jira 2.3 Atlassian Jira 2.4.1 Atlassian Jira 2.5.1 Atlassian Jira 2.5.2 Atlassian Jira 2.5.3 Atlassian Jira 2.6 Atlassian Jira 2.6.1 Atlassian Jira 3.0 Atlassian Jira 3.0.1 Atlassian Jira 3.0.2 Atlassian Jira 3.0.3 Atlassian Jira 3.1 Atlassian Jira 3.1.1 Atlassian Jira 3.2 Atlassian Jira 3.2.1 Atlassian Jira 3.2.2 Atlassian Jira 3.2.3 Atlassian Jira 3.3 Atlassian Jira 3.3.1 Atlassian Jira 3.3.2 Atlassian Jira 3.3.3 Atlassian Jira 3.4 Atlassian Jira 3.4.1 Atlassian Jira 3.4.2 Atlassian Jira 3.4.3 Atlassian Jira 3.5 Atlassian Jira 3.5.1 Atlassian Jira 3.5.2 Atlassian Jira 3.5.3 Atlassian Jira 3.6 Atlassian Jira 3.6.1 Atlassian Jira 3.6.2 Atlassian Jira 3.6.2_156 Atlassian Jira 3.6.3 Atlassian Jira 3.6.4 Atlassian Jira 3.6.5 Atlassian Jira 3.7 Atlassian Jira 3.7.1 Atlassian Jira 3.7.2 Atlassian Jira 3.7.3 Atlassian Jira 3.7.4 Atlassian Jira 3.8 Atlassian Jira 3.8.1 Atlassian Jira 3.9 Atlassian Jira 3.9.1 Atlassian Jira 3.9.2 Atlassian Jira 3.9.3 Atlassian Jira 3.10 Atlassian Jira 3.10.1 Atlassian Jira 3.10.2 Atlassian Jira 3.11 Atlassian Jira 3.12 Atlassian Jira 3.12.1 Atlassian Jira 3.12.2 Atlassian Jira 3.12.3 Atlassian Jira 3.13 Atlassian Jira 3.13.1 Atlassian Jira 3.13.2 Atlassian Jira 3.13.3 Atlassian Jira 3.13.4 Atlassian Jira 3.13.5 Atlassian Jira 4.0 Atlassian Jira 4.0.1 Atlassian Jira 4.0.2 Atlassian Jira 4.1 Atlassian Jira 4.1.1 Atlassian Jira 4.1.2 Atlassian Jira 4.2 Atlassian Jira 4.2.1 Atlassian Jira 4.2.2 Atlassian Jira 4.2.3 Atlassian Jira 4.2.4 Atlassian Jira 4.3 Atlassian Jira 4.3.1 Atlassian Jira 4.3.2 Atlassian Jira 4.3.3 Atlassian Jira 4.3.4 Atlassian Jira 4.4 Atlassian Jira 4.4.1 Atlassian Jira 4.4.2 Atlassian Jira 4.4.3 Atlassian Jira 4.4.4 Atlassian Jira 4.4.5 Atlassian Jira 4.5.0 Atlassian Jira 4.5.1 Atlassian Jira 4.5.2 Atlassian Jira 4.5.3 Atlassian Jira 4.5.4 Atlassian Jira 4.5.5 Atlassian Jira 4.5.6 Atlassian Jira 4.6.0 Atlassian Jira 4.6.1 Atlassian Jira 4.7.0 Atlassian Jira 4.7.1 Atlassian Jira 4.8.0 Atlassian Jira 4.8.1 Atlassian Jira 4.9.0 Atlassian Jira 4.9.1 Atlassian Jira 4.10.0 Atlassian Jira 4.11.0 Atlassian Jira 4.21.0 Atlassian Jira 5.0 Atlassian Jira 5.0.1 Atlassian Jira 5.0.2 Atlassian Jira 5.0.3 Atlassian Jira 5.0.4 Atlassian Jira 5.0.5 Atlassian Jira 5.0.6 Atlassian Jira 5.0.7 Atlassian Jira 5.1 Atlassian Jira 5.1.1 Atlassian Jira 5.1.2 Atlassian Jira 5.1.3 Atlassian Jira 5.1.4 Atlassian Jira 5.1.5 Atlassian Jira 5.1.6 Atlassian Jira 5.1.7 Atlassian Jira 5.1.8 Atlassian Jira 5.2 Atlassian Jira 5.2.1 Atlassian Jira 5.2.2 Atlassian Jira 5.2.3 Atlassian Jira 5.2.4 Atlassian Jira 5.2.4.1 Atlassian Jira 5.2.5 Atlassian Jira 5.2.6 Atlassian Jira 5.2.7 Atlassian Jira 5.2.8 Atlassian Jira 5.2.9 Atlassian Jira 5.2.10 Atlassian Jira 5.2.11 Atlassian Jira 6.0 Atlassian Jira 6.0.1 Atlassian Jira 6.0.2 Atlassian Jira 6.0.3 Atlassian Jira 6.0.4 Atlassian Jira 6.0.5 Atlassian Jira 6.0.6 Atlassian Jira 6.0.7 Atlassian Jira 6.0.8 Atlassian Jira 6.1 Atlassian Jira 6.1.1 Atlassian Jira 6.1.2 Atlassian Jira 6.1.3 Atlassian Jira 6.1.4 Atlassian Jira 6.1.5 Atlassian Jira 6.1.6 Atlassian Jira 6.1.7 Atlassian Jira 6.1.8 Atlassian Jira 6.1.9 Atlassian Jira 6.2 Atlassian Jira 6.2.1 Atlassian Jira 6.2.2 Atlassian Jira 6.2.3 Atlassian Jira 6.2.4 Atlassian Jira 6.2.5 Atlassian Jira 6.2.6 Atlassian Jira 6.2.7 Atlassian Jira 6.3 Atlassian Jira 6.3.1 Atlassian Jira 6.3.3 Atlassian Jira 6.3.4 Atlassian Jira 6.3.5 Atlassian Jira 6.3.6 Atlassian Jira 6.3.7 Atlassian Jira 6.3.8 Atlassian Jira 6.3.9 Atlassian Jira 6.3.10 Atlassian Jira 6.3.11 Atlassian Jira 6.3.12 Atlassian Jira 6.3.13 Atlassian Jira 6.3.14 Atlassian Jira 6.3.15 Atlassian Jira 6.4 Atlassian Jira 6.4.1 Atlassian Jira 6.4.2 Atlassian Jira 6.4.3 Atlassian Jira 6.4.4 Atlassian Jira 6.4.5 Atlassian Jira 6.4.6 Atlassian Jira 6.4.7 Atlassian Jira 6.4.8 Atlassian Jira 6.4.9 Atlassian Jira 6.4.10 Atlassian Jira 6.4.11 Atlassian Jira 6.4.12 Atlassian Jira 6.4.13 Atlassian Jira 6.4.14 Atlassian Jira 7.0.0 Atlassian Jira 7.0.2 Atlassian Jira 7.0.3 Atlassian Jira 7.0.4 Atlassian Jira 7.0.5 Atlassian Jira 7.0.9 Atlassian Jira 7.0.10 Atlassian Jira 7.0.10_ Atlassian Jira 7.0.11 Atlassian Jira 7.1.0 Atlassian Jira 7.1.1 Atlassian Jira 7.1.2 Atlassian Jira 7.1.4 Atlassian Jira 7.1.6 Atlassian Jira 7.1.7 Atlassian Jira 7.1.8 Atlassian Jira 7.1.9 Atlassian Jira 7.1.10 Atlassian Jira 7.1.12 Atlassian Jira 7.1.13 Atlassian Jira 7.1.14 Atlassian Jira 7.1.15 Atlassian Jira 7.1.16 Atlassian Jira 7.1.17 Atlassian Jira 7.2.0 Atlassian Jira 7.2.1 Atlassian Jira 7.2.2 Atlassian Jira 7.2.3 Atlassian Jira 7.2.4 Atlassian Jira 7.2.5 Atlassian Jira 7.2.6 Atlassian Jira 7.2.7 Atlassian Jira 7.2.8 Atlassian Jira 7.2.9 Atlassian Jira 7.2.10 Atlassian Jira 7.2.11 Atlassian Jira 7.2.12 Atlassian Jira 7.2.13 Atlassian Jira 7.2.14 Atlassian Jira 7.2.15 Atlassian Jira 7.3.0 Atlassian Jira 7.3.1 Atlassian Jira 7.3.2 Atlassian Jira 7.3.3 Atlassian Jira 7.3.4 Atlassian Jira 7.3.5 Atlassian Jira 7.3.6 Atlassian Jira 7.3.7 Atlassian Jira 7.3.8 Atlassian Jira 7.3.9 Atlassian Jira 7.4.0 Atlassian Jira 7.4.1 Atlassian Jira 7.4.2 Atlassian Jira 7.4.3 Atlassian Jira 7.4.4 Atlassian Jira 7.4.5 Atlassian Jira 7.4.6 Atlassian Jira 7.5.0 Atlassian Jira 7.5.1 Atlassian Jira 7.5.2 Atlassian Jira 7.5.3 Atlassian Jira 7.5.4 Atlassian Jira 7.6 Atlassian Jira 7.6.0 Atlassian Jira 7.6.1 Atlassian Jira 7.6.2 Atlassian Jira 7.6.3 Atlassian Jira 7.6.4 Atlassian Jira 7.6.5 Atlassian Jira 7.6.6 Atlassian Jira 7.6.7 Atlassian Jira 7.6.8 Atlassian Jira 7.6.9 Atlassian Jira 7.6.10 Atlassian Jira 7.6.11 Atlassian Jira 7.6.12 Atlassian Jira 7.6.13 Atlassian Jira 7.6.14 Atlassian Jira 7.6.15 Atlassian Jira 7.6.16 Atlassian Jira 7.6.17 Atlassian Jira 7.7 Atlassian Jira 7.7.0 Atlassian Jira 7.7.1 Atlassian Jira 7.7.2 Atlassian Jira 7.7.3 Atlassian Jira 7.7.4 Atlassian Jira 7.7.5 Atlassian Jira 7.8.0 Atlassian Jira 7.8.1 Atlassian Jira 7.8.2 Atlassian Jira 7.8.3 Atlassian Jira 7.8.4 Atlassian Jira 7.8.5 Atlassian Jira 7.9.0 Atlassian Jira 7.9.1 Atlassian Jira 7.9.2 Atlassian Jira 7.9.3 Atlassian Jira 7.10.0 Atlassian Jira 7.10.1 Atlassian Jira 7.10.2 Atlassian Jira 7.10.3 Atlassian Jira 7.11.0 Atlassian Jira 7.11.1 Atlassian Jira 7.11.2 Atlassian Jira 7.11.3 Atlassian Jira 7.12.0 Atlassian Jira 7.12.1 Atlassian Jira 7.12.2 Atlassian Jira 7.12.3 Atlassian Jira 7.12.4 Atlassian Jira 7.13.0 Atlassian Jira 7.13.1 Atlassian Jira 7.13.2 Atlassian Jira Server 8.1.0 Atlassian Jira Server 8.0.0 Atlassian Jira Server 8.0.1 Atlassian Jira Server 8.0.2 Atlassian Jira Server 8.0.3	486

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

Nessus

NASL family	CGI abuses
NASL id	JIRA_8_1_1.NASL
description	According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is potentially affected by an information disclosure vulnerability in the /rest/api/2/user/picker rest resource due to incorrect authorization checks. An unauthenticated, remote attacker can exploit this to enumerate usernames. (CVE-2019-3403)
last seen	2020-03-18
modified	2019-10-25
plugin id	130267
published	2019-10-25
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/130267
title	Atlassian Jira 7.13.x < 7.13.3 / 8.0.x < 8.0.4 / 8.1.x < 8.1.1 Information Disclosure Vulnerability
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(130267); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/28"); script_cve_id("CVE-2019-3403"); script_name(english:"Atlassian Jira 7.13.x < 7.13.3 / 8.0.x < 8.0.4 / 8.1.x < 8.1.1 Information Disclosure Vulnerability"); script_set_attribute(attribute:"synopsis", value: "The remote web server hosts a web application that is potentially affected by an information disclosure vulnerability."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the instance of Atlassian Jira hosted on the remote web server is potentially affected by an information disclosure vulnerability in the /rest/api/2/user/picker rest resource due to incorrect authorization checks. An unauthenticated, remote attacker can exploit this to enumerate usernames. (CVE-2019-3403) "); # https://jira.atlassian.com/browse/JRASERVER-69242 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9cfd6d45"); script_set_attribute(attribute:"solution", value: "Upgrade to Atlassian Jira version 7.13.3 / 8.1.1 / 8.2.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-3403"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/19"); script_set_attribute(attribute:"patch_publication_date", value:"2019/04/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/25"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:atlassian:jira"); script_set_attribute(attribute:"agent", value:"all"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("jira_detect.nasl", "atlassian_jira_win_installed.nbin", "atlassian_jira_nix_installed.nbin"); script_require_keys("installed_sw/Atlassian JIRA"); exit(0); } include('vcf.inc'); app_info = vcf::combined_get_app_info(app:'Atlassian JIRA'); constraints = [ { 'min_version' : '7.13.0', 'fixed_version' : '7.13.3' }, { 'min_version' : '8.0.0', 'fixed_version' : '8.1.1' } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);

References

https://jira.atlassian.com/browse/JRASERVER-69242