Uploaded image for project: 'Jira Service Management Data Center'
  1. Jira Service Management Data Center
  2. JSDSERVER-15137

The feedback token for customer surveys is printed in the access log

      Issue Summary

      This is reproducible on Data Center: yes

      Steps to Reproduce

      1. Close a JSM ticket
      2. Respond to the feedback survey
      3. Check that the access log records the feedback token
      4. Use this same URL to change the feedback

      Expected Results

      • Jira would either not send the feedback token as path parameter on the URL
        or
      • Jira would expire the token after being used

      Actual Results

      The same token can be used to change the feedback on the ticket.

      Workaround

      So far, the possible workarounds are:

      1. Restrict the access to Jira's access log to only the Jira process user (and sysadmins)
      2. Rely on the change history of Issues to spot suspicious changes to the survey date

      This example SQL prints all changes of issues that have had at least one change to the satisfaction response date:

      with csat_changes as (
      select distinct cg.issueid
      from changeitem ci
      join changegroup cg on cg.id = ci.groupid
      where ci.field = 'Satisfaction date' and ci.oldvalue is not null
      )
      select i.id as "Issue Id", concat(p.pkey, concat('-', i.issuenum)) as "Issue Key", cg.created as "Change date", ci.oldvalue as "Old value", ci.newvalue as "New value"
      from changeitem ci
      join changegroup cg on cg.id = ci.groupid
      join csat_changes csat on csat.issueid = cg.issueid
      join jiraissue i on i.id = cg.issueid
      join project p on p.id = i.project
      where ci.field = 'Satisfaction date'
      order by "Issue Key", cg.created;
      

      Sample output:

       Issue Id | Issue Key |        Change date         |        Old value         |        New value         
      ----------+-----------+----------------------------+--------------------------+--------------------------
          10201 | JSM-2     | 2024-02-23 01:14:51.063+00 |                          | 2024-02-23T01:14:51+0000
          10201 | JSM-2     | 2024-02-23 01:14:58.052+00 | 2024-02-23T01:14:51+0000 | 2024-02-23T01:14:58+0000
          10201 | JSM-2     | 2024-02-23 01:15:01.225+00 | 2024-02-23T01:14:58+0000 | 2024-02-23T01:15:01+0000
      

            [JSDSERVER-15137] The feedback token for customer surveys is printed in the access log

            There are no comments yet on this issue.

              c8bcca445054 Benjamin Suess
              rmartinez3@atlassian.com Rodrigo Martinez
              Affected customers:
              0 This affects my team
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: