CVE-2019-8449

MEDIUM NUCLEI

Atlassian Jira < 8.4.0 - Missing Authentication

Title source: rule

Description

The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.

Exploits (3)

exploitdb WORKING POC

by Mufeed VH · pythonwebappsjava

https://www.exploit-db.com/exploits/47990

View Code ZIP pw:eip

nomisec WORKING POC 68 stars

by mufeedvh · poc

https://github.com/mufeedvh/CVE-2019-8449

View Code ZIP pw:eip

nomisec WORKING POC 2 stars

by r0lh · poc

https://github.com/r0lh/CVE-2019-8449

View Code ZIP pw:eip

Nuclei Templates (1)

Jira <8.4.0 - Information Disclosure

MEDIUMby harshbothra_

Shodan:

http.component:"Atlassian Jira" || http.component:"atlassian jira" || http.component:"atlassian confluence" || cpe:"cpe:2.3:a:atlassian:jira"

References (2)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/156172/Jira-8.3.4-Information-Disclosure.html

[Issue Tracking, Vendor Advisory] https://jira.atlassian.com/browse/JRASERVER-69796

Scores

CVSS v3 5.3

EPSS 0.7108

EPSS Percentile 98.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-306

Status published

Products (1)

atlassian/jira < 8.4.0

Published Sep 11, 2019

Tracked Since Feb 18, 2026