Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Cross-Site Request Forgery exposure

steve moffat
steve moffat February 20, 2018

Our security department has scanned our Jira (v7.4.2#74004-sha1:586975d) using an IBM tool called Appscan.  It reported a possible vulnerability.  I have to prepare a response to indicate if this is a known problem and when or if it will be fixed.  Any assistance would be appreciated.

Text from the report follows:

Cross-Site Request Forgery. It may be possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user. The test result seems to indicate a vulnerability because the test response is identical to the original response, indicating that the Cross Site Request Forgery attempt was successful, even though it included a fictive “Referer” header.

Recommendation: Validate the value of the "Referer" header, and use a one-time-nonce for each submitted form

Answer
Watch
Like Be the first to like this
970 views

1 answer

1 vote
Matt Doar
Matt Doar
Community Champion
February 20, 2018

The security.atlassian.com page has a FAQ at https://www.atlassian.com/trust/faq

I found a vulnerability in one of your products, how do I report it? 

If you discovered a vulnerability in one of our products, we appreciate if you let us know so we can get it fixed ASAP.  Have a read through our instructions for how to report it and you could get some Atlassian swag or be added to our Hall of Fame.  

View More Comments
Steve Moffat
Steve Moffat February 22, 2018

Thank you very much for the direction to report security issues.

Yes, this is what I needed!

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.