Web Sudo should be able to be subverted for non browsers (eg scripts) via a HTTP header

2011-07-01T10:40:14
ID ATLASSIAN:JRASERVER-24956
Type atlassian
Reporter bbaker
Modified 2019-03-28T00:02:56

Description

We do this for XSRF protection. Basically you should be able to subvert the web sudo mechanism via a HTTP header.

This posts shows the use case

https://answers.atlassian.com/questions/1273/jira-jelly-runner-via-cron-in-v4-3-4

I believe it just as secure since web sudo is really design to stop some one using your browser (directly or via XSRF) to perform admin actions as you.

Scripts don't suffer this problem. The need your username and password to run at all.