CVE-2019-3403

MEDIUM NUCLEI

Jira < 7.13.3, 8.0.0-8.0.3, 8.1.0 - Unauthenticated Username Enumeration via User Picker REST Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-3403. PoCs published by davidmckennirey, und3sc0n0c1d0. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits CVE-2019-3403, an information disclosure vulnerability in JIRA, to scrape user information via an unauthenticated API endpoint. It sends queries to the `/rest/api/2/user/picker` endpoint and processes the responses to extract user details.

Description

The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check.

Exploits (2)

nomisec WORKING POC 2 stars
by davidmckennirey · poc
https://github.com/davidmckennirey/CVE-2019-3403

This PoC exploits CVE-2019-3403, an information disclosure vulnerability in JIRA, to scrape user information via an unauthenticated API endpoint. It sends queries to the `/rest/api/2/user/picker` endpoint and processes the responses to extract user details.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Atlassian JIRA (versions affected by CVE-2019-3403)
No auth needed
Prerequisites: Network access to the vulnerable JIRA instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by und3sc0n0c1d0 · poc
https://github.com/und3sc0n0c1d0/UserEnumJira

The repository contains a working PoC for CVE-2020-14181, an information disclosure vulnerability in Jira. The script enumerates valid usernames by checking responses from the ViewUserHover.jspa endpoint.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Atlassian Jira
No auth needed
Prerequisites: Target URL with Jira instance · Wordlist of potential usernames
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Jira - Incorrect Authorization
MEDIUMby Ganofins
Shodan: http.component:"Atlassian Jira" || http.component:"atlassian jira" || http.component:"atlassian confluence" || cpe:"cpe:2.3:a:atlassian:jira"

References (1)

Core 1
Core References
Issue Tracking, Vendor Advisory x_refsource_misc
https://jira.atlassian.com/browse/JRASERVER-69242

Scores

CVSS v3 5.3
EPSS 0.5264
EPSS Percentile 98.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-863
Status published
Products (2)
atlassian/jira < 7.13.3
atlassian/jira_server 8.0.0 - 8.0.4
Published May 22, 2019
Tracked Since Feb 18, 2026