Details
-
Bug
-
Resolution: Won't Fix
-
Low
-
2
-
Severity 3 - Minor
-
Description
NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report.
Steps to Reproduce:
- Log into JIRA
- Log out from JIRA
Expected Results:
- The URL shown in the address bar does not show the atl_token value
Actual Results:
- The URL shown in the address bar shows the atl_token value
Impact
After checking with the security teams, this appears to be a low risk problem (as the token is invalid after logging out). However, if there are other resources where atl_token is used as a request parameter and a resource from an external resource is included then the referrer header will leak the token (in the request to the external resource).
Attachments
Issue Links
- is duplicated by
-
JRACLOUD-44207 atl_token appended to request URL
- Closed
- is related to
-
JRASERVER-61250 JIRA puts a user's XSRF token in various resources.
- Gathering Impact