Description
Atlassian Jira Server and Data Center versions prior to the patched releases contain an information disclosure vulnerability that allows unauthenticated attackers to enumerate valid usernames through the /ViewUserHover.jspa endpoint. By observing differences in server responses when querying valid versus invalid usernames, attackers can compile a list of legitimate user accounts without requiring authentication.
Remediation
Upgrade Jira Server or Data Center to a patched version as specified in the Atlassian security advisory for CVE-2020-14181. Consult the official Atlassian advisory at https://jira.atlassian.com/browse/JRASERVER-71560 to identify the appropriate fixed version for your deployment. After upgrading, verify that the /ViewUserHover.jspa endpoint no longer discloses user existence information by testing with both valid and invalid usernames. Additionally, implement monitoring for unusual enumeration attempts and consider deploying rate limiting on authentication-related endpoints to mitigate potential follow-up attacks.
References
Related Vulnerabilities
OpenSSL Other Vulnerability (CVE-2015-0208)
Kong Server Incorrect Authorization Vulnerability (CVE-2021-27306)
Rails Asset Pipeline Directory Traversal Vulnerability
Liferay DXP URL Redirection to Untrusted Site ('Open Redirect') Vulnerability (CVE-2023-44308)
ownCloud Exposure of Resource to Wrong Sphere Vulnerability (CVE-2020-36252)