Details
-
Bug
-
Resolution: Fixed
-
High
-
8.4.0, 8.4.1, 8.6.0, 8.6.1, 8.5.3, 8.5.5, 8.8.1
-
8.04
-
11
-
Severity 2 - Major
-
30
-
Description
Issue Summary
Jira is logging in the atlassian-jira-security.log when you move an issue in Kanban board.
Steps to Reproduce
- Install default instance
- Create Kanban project
- Create new Issue for Project (I used bug).
- Move the issue in the Kanban board to anywhere.
The following line is logged in the atlassian-jira-security.log
Expected Results
Nothing should be logged as nothing is installed that is doing anything.
Actual Results
The below is logged in the atlassian-jira-security.log file:
2019-12-03 10:59:43,920 http-nio-8080-exec-9 jiraadmin 659x2200x1 e0xw74 0:0:0:0:0:0:0:1 /secure/WorkflowUIDispatcher.jspa Potential malicious redirect detected:
Notes
Occasionally when replicating this issue users may experience a xsrf security token missing error in the UI and in the atlassian-jira.log file looking like the following and logged exact at the same time as the one logged in the security logs:
2020-01-28 13:45:49,326 http-nio-8080-exec-165 INFO admin 825x20446011x1 ydgg8i x.x.x.x,x.x.x.x /secure/WorkflowUIDispatcher.jspa [c.a.j.web.action.XsrfErrorAction] The security token is missing for 'admin'. User-Agent : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0'
Workaround
Required, I have not found any way to stop it currently.