Lucene search
HistoryJun 01, 2016 - 6:40 a.m.
JIRA puts a user's XSRF token in various resources.
{panel:bgColor=#e7f4fa}
NOTE: This bug report is for JIRA Server. Using JIRA Cloud? [See the corresponding bug report|http://jira.atlassian.com/browse/JRACLOUD-61250].
{panel}
h5. Steps to Reproduce:
Log into JIRA
Log out from JIRA
h5. Expected Results:
- The URL shown in the address bar does not show the {{atl_token}} value
h5. Actual Results:
- The URL shown in the address bar shows the {{atl_token}} value
h5. Impact
After checking with the security teams, this appears to be a low risk problem (as the token is invalid after logging out). However, we should probably not have tokens visible in the URL
Affected configurations
Node
atlassianjira_data_centerRange≤6.3.9
ORatlassianjira_data_centerRange≤7.1.1
| CPE | Name | Operator | Version |
|---|---|---|---|
| jira data center | le | 6.3.9 | |
| jira data center | le | 7.1.1 |