-
Type:
Bug
-
Resolution: Tracked Elsewhere
-
Priority:
Medium
-
Affects Version/s: 5.0.3
-
Component/s: REST API
-
5
-
5
Several REST web services are vulnerable to XSRF, allowing malicious web pages to execute them under the context of a logged in users browser.
It's understood that JIRA REST interfaces are typically protected against XSRF based on the content-type they consume. The following methods are vulnerable as they consume content types that can be submitted by a standard HTML form:
- MediaType.TEXT_PLAIN
- MediaType.MULTIPART_FORM_DATA
- MediaType.APPLICATION_FORM_URLENCODED
- MediaType.WILDCARD
The severity of these vulnerabilities vary from adding voters/voting on issues, to updating project and user avatars.
| Filename | Methods |
|---|---|
| FavouriteResource.java |
|
| IssueResource.java |
|
| JiraInlineActionResource.java |
|
| MessageHandlersResource.java |
|
| ProjectAvatarResource.java |
|
| ProjectCategoriesResource.java |
|
| ProjectResource.java |
|
| RenderersResource.java |
|
| UserResource.java |
|
| ValidationResource.java |
|
- has requirement
-
SCT-299 Loading...
