Jira Unauthorized User Enumeration via UserPickerBrowser
Description
Atlassian Jira exposes an unauthenticated endpoint at /secure/popups/UserPickerBrowser.jspa that allows anonymous users to enumerate valid usernames within the system. By accessing this endpoint with parameters such as ?max=10, attackers can retrieve a list of Jira users without requiring authentication. This information disclosure vulnerability affects Jira instances where anonymous access has not been properly restricted.
Remediation
Restrict anonymous access to the UserPickerBrowser endpoint by implementing the following measures:
1. Disable Anonymous Access: Navigate to Jira Administration → System → Global Permissions and ensure that the 'Browse Users and Groups' permission is not granted to anonymous users.
2. Configure Application Access: Go to Jira Administration → System → Security Configuration and verify that 'Allow people to sign up' is disabled if not required.
3. Implement Web Application Firewall Rules: Block unauthenticated requests to /secure/popups/UserPickerBrowser.jspa at the network perimeter or reverse proxy level.
4. Review Anonymous Permissions: Audit all permissions granted to anonymous users following the guidance in Atlassian's documentation on controlling anonymous user access to ensure minimal exposure of sensitive endpoints.