Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-28171

Several REST interfaces vulnerable to XSRF

XMLWordPrintable

      Several REST web services are vulnerable to XSRF, allowing malicious web pages to execute them under the context of a logged in users browser.

      It's understood that JIRA REST interfaces are typically protected against XSRF based on the content-type they consume. The following methods are vulnerable as they consume content types that can be submitted by a standard HTML form:

      • MediaType.TEXT_PLAIN
      • MediaType.MULTIPART_FORM_DATA
      • MediaType.APPLICATION_FORM_URLENCODED
      • MediaType.WILDCARD

      The severity of these vulnerabilities vary from adding voters/voting on issues, to updating project and user avatars.

      Filename Methods
      FavouriteResource.java
      • Undo
      IssueResource.java
      • addVoter
      • addWatcher
      JiraInlineActionResource.java
      • watchIssue
      • voteIssue
      MessageHandlersResource.java
      • validate
      • testHandler
      ProjectAvatarResource.java
      • updateUserAvatar
      ProjectCategoriesResource.java
      • setCurrent
      ProjectResource.java
      • storeTemporaryAvatar
      • storeTemporaryAvatarUsingMultiPart
      RenderersResource.java
      • getRenderedContent
      UserResource.java
      • updateUserAvatar
      • createAvatarFromTermporary
      • storeTemporaryAvatar
      • storeTemporaryAvatarUsingMultiPart
      ValidationResource.java
      • validateProject

              Unassigned Unassigned
              f4e9401f9900 Dan Hodson
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: