JIRA puts a user's XSRF token in various resources.

XMLWordPrintable

    • 2
    • Severity 3 - Minor

      NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report.

      Steps to Reproduce:
      1. Log into JIRA
      2. Log out from JIRA
      Expected Results:
      1. The URL shown in the address bar does not show the atl_token value
      Actual Results:
      1. The URL shown in the address bar shows the atl_token value
      Impact

      After checking with the security teams, this appears to be a low risk problem (as the token is invalid after logging out). However, if there are other resources where atl_token is used as a request parameter and a resource from an external resource is included then the referrer header will leak the token (in the request to the external resource).

              Assignee:
              Hannes Obweger (Inactive)
              Reporter:
              Dave Norton (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated:
                Resolved: