Talos Vulnerability Report

TALOS-2019-0834

Atlassian Jira CSRF Login Vulnerability

September 16, 2019
CVE Number

CVE-2019-15002

Summary

An exploitable CSRF vulnerability exists in Atlassian Jira, from versions 7.6.4 to 8.1.0. The login form doesn't require a CSRF token. As a result, an attacker can log a user into the system under an unexpected account.

Tested Versions

Atlassian Jira 7.6.4 Atlassian Jira 8.1.0

Product URLs

https://www.atlassian.com/software/jira

CVSSv3 Score

3.5 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)

Details

A POST to /login.jsp with a valid username and password will cause a session to be set for that user. This may allow an attacker to access information related to private activities performed by the victim.

Timeline

2019-05-14 - Vendor Disclosure
2019-06-17 - Vendor advised issue under review with possible relation to another issue
2019-06-20 - Support ticket (GHS-153718) frozen, created internal ticket (JRA-SERVER-32076) and reopened ticket (JRA-SERVER 67979)
2019-09-10 - CVE assigned and vendor advised issue tracked for future fix/release
2019-09-16 - Public Release

Credit

Discovered by Ben Taylor of Cisco ASIG.