Jira Unauthorized User Enumeration (CVE-2020-14181)
Description
Atlassian Jira Server and Data Center versions prior to the patched releases contain an information disclosure vulnerability that allows unauthenticated attackers to enumerate valid usernames through the /ViewUserHover.jspa endpoint. By observing differences in server responses when querying valid versus invalid usernames, attackers can compile a list of legitimate user accounts without requiring authentication.
Remediation
Upgrade Jira Server or Data Center to a patched version as specified in the Atlassian security advisory for CVE-2020-14181. Consult the official Atlassian advisory at https://jira.atlassian.com/browse/JRASERVER-71560 to identify the appropriate fixed version for your deployment. After upgrading, verify that the /ViewUserHover.jspa endpoint no longer discloses user existence information by testing with both valid and invalid usernames. Additionally, implement monitoring for unusual enumeration attempts and consider deploying rate limiting on authentication-related endpoints to mitigate potential follow-up attacks.