We found enumeration of usernames to be possible in Jira 4.3.4 despite the login failure message not revealing whether it was the username or password that was incorrect.

After 3 failed login attempts a captcha appears only if the user exists, otherwise not. This allows an attacker to enumerate the usernames.

Security issue found by Asbjørn Reglund Thorsen <a.r.thorsen@usit.uio.no> and Geir Harald Hansen <g.h.hansen@usit.uio.no>