An exploitable CSRF vulnerability exists in Atlassian Jira, from versions 7.6.4 to 8.1.0. The login form doesn’t require a CSRF token. As a result, an attacker can log a user into the system under an unexpected account.
Atlassian Jira 7.6.4 Atlassian Jira 8.1.0
3.5 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
CWE-352 - Cross-Site Request Forgery (CSRF)
A POST to
/login.jsp with a valid username and password will cause a session to be set for that user. This may allow an attacker to access information related to private activities performed by the victim.
2019-05-14 - Vendor Disclosure
2019-06-17 - Vendor advised issue under review with possible relation to another issue
2019-06-20 - Support ticket (GHS-153718) frozen, created internal ticket (JRA-SERVER-32076) and reopened ticket (JRA-SERVER 67979)
2019-09-10 - CVE assigned and vendor advised issue tracked for future fix/release
2019-09-16 - Public Release
Discovered by Ben Taylor of Cisco ASIG.