[asterisk-bugs] [JIRA] (ASTERISK-29249) Bug Report #21J59 (User enumeration through the groupuserpicker api resource - CVE-2019-8449)

Joshua C. Colp (JIRA) noreply at issues.asterisk.org
Sat Jan 16 08:55:59 CST 2021 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-29249?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Joshua C. Colp closed ASTERISK-29249.
-------------------------------------

    Resolution: Not A Bug

We are aware of issues in the version of JIRA in use. We are evaluating a path forward for updating JIRA and the issue tracker in general, per an additional statement by Atlassian that the JIRA in use is also being discontinued.

As well the provided URL does not display any information, as the version in use on this issue tracker does not appear to be vulnerable.

> Bug Report #21J59 (User enumeration through the groupuserpicker api resource - CVE-2019-8449)
> ---------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-29249
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29249
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Applications/app_amd
>    Affects Versions: 17.0.1
>            Reporter: Sound Ground
>            Severity: Minor
>
> Hello
> I found a bug User enumeration through the group user picker api resource - CVE-2019-8449
> summary: 
> The /rest/api/latest/ group user picker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
> Step to reproduce:
> just simply visit the url to see https://issues.asterisk.org/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=truecve
> CVE-2019-8449
> Fix:
> update your vulnerable version to higher 8.12.0
> References
> http://packetstormsecurity.com/files/156172/Jira-8.3.4-Information-Disclosure.html
> exploit:
> https://www.exploit-db.com/exploits/47990
> https://jira.atlassian.com/browse/JRASERVER-69796



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list