Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-44644

Username enumeration through the username parameter to the ViewUserHover resource.

    XMLWordPrintable

Details

    Description

      It is possible to enumerate usernames through the secure/ViewUserHover resource through the username parameter. JIRA leaks the existence of a username by showing your entire name.
      1. Log out of JIRA
      2. Go to http(s)://$jira/$contextpath/secure/ViewUserHover!default.jspa?username=$username_of_an_existing_user
      2. Note that the username is displayed
      3. Go to http(s)://$jira/$contextpath/secure/ViewUserHover!default.jspa?username=$username_of_a_user_that_does_not_exist_in_jira
      4. Observe the error message "User does not exist: $username_of_an_existing_user"

      Attachments

        Issue Links

          mentioned in

          Page Loading...

          relates to

          JSEC-3 Loading...

          Activity

            People

              ohernandez@atlassian.com Oswaldo Hernandez (Inactive)
              5b2ef6a57ece Eduardo Alves
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: