Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-44644

Username enumeration through the username parameter to the ViewUserHover resource.

    XMLWordPrintable

    Details

      Description

      It is possible to enumerate usernames through the secure/ViewUserHover resource through the username parameter. JIRA leaks the existence of a username by showing your entire name.
      1. Log out of JIRA
      2. Go to http(s)://$jira/$contextpath/secure/ViewUserHover!default.jspa?username=$username_of_an_existing_user
      2. Note that the username is displayed
      3. Go to http(s)://$jira/$contextpath/secure/ViewUserHover!default.jspa?username=$username_of_a_user_that_does_not_exist_in_jira
      4. Observe the error message "User does not exist: $username_of_an_existing_user"

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              ohernandez@atlassian.com Oswaldo Hernandez (Inactive)
              Reporter:
              5b2ef6a57ece Eduardo Alves
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: