LiveActive security incident?Get immediate response
CVE Record

CVE-2019-8446: The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate...

The /rest/issueNav/1/issueTable resource in Jira before version 8.3.2 allows remote attackers to enumerate usernames via an incorrect authorisation check.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

A Jira authorization flaw let remote attackers enumerate usernames through an issue navigation REST resource. That does not equal direct system takeover, but it can expose valid accounts for phishing, password spraying, and targeted follow-on attacks.

Executive priority

Treat this as a moderate-priority identity exposure issue. It is not presented as remote code execution, but it can materially increase the success rate of account attacks against Jira and connected services.

Technical view

CVE-2019-8446 affects Jira before 8.3.2. The /rest/issueNav/1/issueTable resource had an incorrect authorization check, allowing remote username enumeration. The source bundle maps this to CWE-863 and provides no CVSS vector.

Likely exposure

Organizations running Atlassian Jira versions earlier than 8.3.2 are the stated exposure. The bundle does not define exact editions, configurations, authentication requirements, or internet-facing prevalence.

Exploitation context

The bundle does not show CISA KEV listing or cited active exploitation. The realistic risk is reconnaissance: collecting valid usernames for credential attacks or social engineering against Jira users.

Researcher notes

Evidence is limited to the CVE description, Atlassian issue reference, and Talos report reference in the bundle. No CVSS, exploit maturity, detailed affected-version matrix, or configuration-specific behavior is provided here.

Mitigation direction

  • Check Atlassian guidance for JRASERVER-69777 and confirm affected versions.
  • Upgrade Jira to 8.3.2 or later where applicable.
  • Restrict external access to Jira if business requirements allow.
  • Monitor authentication logs for password spraying against enumerated accounts.
  • Enforce MFA for Jira and linked identity provider accounts.

Validation and detection

  • Inventory Jira deployments and record exact versions.
  • Confirm whether any instance is below Jira 8.3.2.
  • Review exposure of Jira to the internet or untrusted networks.
  • Verify unauthorized users cannot obtain username lists from issue navigation behavior.
  • Check logs for unusual username discovery or authentication attempts.
Prepared
Confidence
medium
Sources
4

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-863: Authorization and privilege behavior lookup

Authorization weaknesses can support privilege escalation and valid-account review, depending on exploit path. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2019-8446 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
0Timeline events
0ADP providers
3Source links

CVSS and timeline data

No CVSS vectors or timeline events were available in the normalized CVE source material.

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
AtlassianJiraunspecifiedListed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-863 · source CWE mapping

Incorrect Authorization

Incorrect Authorization represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.