Details
-
Bug
-
Resolution: Fixed
-
Low
-
6.2.5
-
None
-
6.02
-
Description
It is possible to enumerate usernames through the secure/ViewUserHover resource through the username parameter. JIRA leaks the existence of a username by showing your entire name.
1. Log out of JIRA
2. Go to http(s)://$jira/$contextpath/secure/ViewUserHover!default.jspa?username=$username_of_an_existing_user
2. Note that the username is displayed
3. Go to http(s)://$jira/$contextpath/secure/ViewUserHover!default.jspa?username=$username_of_a_user_that_does_not_exist_in_jira
4. Observe the error message "User does not exist: $username_of_an_existing_user"