CVE-2019-8449

MEDIUM NUCLEI

Jira < 8.4.0 - Information Disclosure via Group User Picker Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2019-8449. PoCs published by Mufeed VH, mufeedvh, r0lh. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages an information disclosure vulnerability in Jira (CVE-2019-8449) to enumerate usernames via an unauthenticated API endpoint. It sends a crafted GET request to the `/rest/api/latest/groupuserpicker` endpoint with user-controlled parameters to retrieve user details.

Description

The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.

Exploits (3)

exploitdb WORKING POC
by Mufeed VH · pythonwebappsjava
https://www.exploit-db.com/exploits/47990

This exploit leverages an information disclosure vulnerability in Jira (CVE-2019-8449) to enumerate usernames via an unauthenticated API endpoint. It sends a crafted GET request to the `/rest/api/latest/groupuserpicker` endpoint with user-controlled parameters to retrieve user details.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Atlassian Jira versions 2.1 to 8.3.4
No auth needed
Prerequisites: Network access to the Jira instance · Target endpoint must be accessible
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 68 stars
by mufeedvh · poc
https://github.com/mufeedvh/CVE-2019-8449

This PoC exploits CVE-2019-8449, an information disclosure vulnerability in Jira versions 2.1 to 8.3.4, allowing unauthenticated attackers to enumerate usernames via the `/rest/api/latest/groupuserpicker` endpoint. The script sends a crafted GET request with user-controlled parameters to retrieve sensitive user data.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Atlassian Jira 2.1 - 8.3.4
No auth needed
Prerequisites: Network access to the Jira instance · Vulnerable Jira version (2.1 - 8.3.4)
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by r0lh · poc
https://github.com/r0lh/CVE-2019-8449

This Go script exploits CVE-2019-8449, a user enumeration vulnerability in Jira versions before 8.4.0. It queries the `/rest/api/latest/groupuserpicker` endpoint with crafted parameters to check if a username exists.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Atlassian Jira < 8.4.0
No auth needed
Prerequisites: Network access to the Jira server · List of usernames to test
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Jira <8.4.0 - Information Disclosure
MEDIUMby harshbothra_
Shodan: http.component:"Atlassian Jira" || http.component:"atlassian jira" || http.component:"atlassian confluence" || cpe:"cpe:2.3:a:atlassian:jira"

References (2)

Core 2
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://jira.atlassian.com/browse/JRASERVER-69796
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/156172/Jira-8.3.4-Information-Disclosure.html

Scores

CVSS v3 5.3
EPSS 0.8477
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-306
Status published
Products (1)
atlassian/jira < 8.4.0
Published Sep 11, 2019
Tracked Since Feb 18, 2026