Uploaded image for project: 'Jira Cloud'
  1. Jira Cloud
  2. JRACLOUD-61250

JIRA puts a user's XSRF token in various resources.

    XMLWordPrintable

Details

    Description

      NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report.

      Steps to Reproduce:
      1. Log into JIRA
      2. Log out from JIRA
      Expected Results:
      1. The URL shown in the address bar does not show the atl_token value
      Actual Results:
      1. The URL shown in the address bar shows the atl_token value
      Impact

      After checking with the security teams, this appears to be a low risk problem (as the token is invalid after logging out). However, if there are other resources where atl_token is used as a request parameter and a resource from an external resource is included then the referrer header will leak the token (in the request to the external resource).

      Attachments

        Issue Links

          is duplicated by

          Suggestion - JRACLOUD-44207 atl_token appended to request URL

          • Closed
          is related to

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-61250 JIRA puts a user's XSRF token in various resources.

          • Low - Low priority issues
          • Gathering Impact
          mentioned in

          Page Loading...

          Page Loading...

          Page Loading...

          Activity

            People

              hobweger@atlassian.com Hannes Obweger (Inactive)
              dnorton@atlassian.com Dave Norton
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: