| Summary: | ASTERISK-29251: Bug Report #21J61 (allowing an unauthenticated attacker to enumerate whether a user exists on the Jira or not ) | ||
| Reporter: | Sound Ground (foysal1197) | Labels: | |
| Date Opened: | 2021-01-16 06:53:02.000-0600 | Date Closed: | 2021-01-16 08:55:54.000-0600 |
| Priority: | Major | Regression? | |
| Status: | Closed/Complete | Components: | .Release/Targets |
| Versions: | 17.9.0 | Frequency of Occurrence | |
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | Hi,there.
I found the https://issues.asterisk.org/rest/api/2/dashboard?maxResults=100 host deployed the jira server which version is 7.9.2,there is many public vulnerabilities on this low version. summary: The /rest/api/2/user/picker rest resource in Jira before version 7.13.3, from version 8.0.0 before version 8.0.4, and from version 8.1.0 before version 8.1.1 allows remote attackers to enumerate usernames via an incorrect authorisation check. step to reproduce visit the URL address,you can check the user whether is exist on this host https://issues.asterisk.org/rest/api/2/dashboard?maxResults=100 impact: So the attacker can enumerate all existing users on this jira server. CVE: CVE-2019-3403 Recommendations for fix updated the jira server's version or fixed Attachments area | ||
| Comments: | By: Asterisk Team (asteriskteam) 2021-01-16 06:53:02.470-0600 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. Please note that log messages and other files should not be sent to the Sangoma Asterisk Team unless explicitly asked for. All files should be placed on this issue in a sanitized fashion as needed. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur. Please note that by submitting data, code, or documentation to Sangoma through JIRA, you accept the Terms of Use present at [https://www.asterisk.org/terms-of-use/|https://www.asterisk.org/terms-of-use/]. By: Joshua C. Colp (jcolp) 2021-01-16 08:55:54.236-0600 We are aware of issues in the version of JIRA in use. We are evaluating a path forward for updating JIRA and the issue tracker in general, per an additional statement by Atlassian that the JIRA in use is also being discontinued. | ||