Details
-
Bug
-
Resolution: Fixed
-
Medium
-
2.8.3
-
None
-
Severity 1 - Critical
-
Description
The bundled version of atlassian-rest in Atlassian Crowd before version 2.8.4 and from version 2.9.0 before version 2.9.1 was vulnerable to a Cross-site request forgery (CSRF) vulnerability in certain browsers, for example chrome, due to an assumption that non-simple content-types could not be sent cross domain. This allowed remote attackers to bypass the Cross-site request forgery protection implemented in atlassian-rest for rest resources that depended upon consuming non-simple content-types to protect them against CSRF attacks. For more information about the atlassian-rest issue see https://ecosystem.atlassian.net/browse/REST-339 and https://ecosystem.atlassian.net/browse/REST-343.