[asterisk-bugs] [JIRA] (ASTERISK-29251) Bug Report #21J61 (allowing an unauthenticated attacker to enumerate whether a user exists on the Jira or not )

Joshua C. Colp (JIRA) noreply at issues.asterisk.org
Sat Jan 16 08:55:59 CST 2021 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-29251?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Joshua C. Colp closed ASTERISK-29251.
-------------------------------------

    Resolution: Suspended

We are aware of issues in the version of JIRA in use. We are evaluating a path forward for updating JIRA and the issue tracker in general, per an additional statement by Atlassian that the JIRA in use is also being discontinued.

> Bug Report #21J61 (allowing an unauthenticated attacker to enumerate whether a user exists on the Jira or not )
> ---------------------------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-29251
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29251
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: .Release/Targets
>    Affects Versions: 17.9.0
>            Reporter: Sound Ground
>
> Hi,there.
> I found the https://issues.asterisk.org/rest/api/2/dashboard?maxResults=100 host deployed the jira server which version is 7.9.2,there is many public vulnerabilities on this low version.
> summary:
> The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
> step to reproduce
> visit the URL address,you can check the user whether is exist on this host
> https://issues.asterisk.org/rest/api/2/dashboard?maxResults=100
> impact:
> So the attacker can enumerate all existing users on this jira server.
> CVE:
> CVE-2019-3403
> Recommendations for fix
> updated the jira server's version or fixed
> Attachments area



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list