Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Atlassian JIRA 6.1.x < 6.1.5 Mutliple CSRF / XSRF

Medium

Synopsis

The remote web server hosts an application that is vulnerable to multiple Cross-Site Request Forgery (CSRF/XSRF) attack vectors.

Description

The version of JIRA installed on the remote host is earlier than 6.1.5 and is affected by multiple CSRF/XSRF vulnerabilities :

Multiple flaws exist as HTTP requests to the following components do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions :

- 'Undo' method of 'FavouriteResource.java' (OSVDB 124964) - 'updateUserAvatar' method of 'ProjectAvatarResource.java' (OSVDB 124965) - 'setCurrent' method of 'ProjectCategoriesResource.java' (OSVDB 124966) - 'getRenderedContent' method of 'RenderersResource.java' (OSVDB 124967) - 'validateProject' method of 'ValidationResource.java' (OSVDB 124968) - 'updateUserAvatar', 'createAvatarFromTermporary', 'storeTemporaryAvatar', and 'storeTemporaryAvatarUsingMultiPart' methods of 'UserResource.java' (OSVDB 124969) - 'storeTemporaryAvatar' and 'storeTemporaryAvatarUsingMultiPart' methods of 'ProjectResource.java' (OSVDB 124970) - 'validate' and 'testHandler' methods of 'MessageHandlersResource.java' (OSVDB 124971) - 'addVoter' and 'addWatcher' methods of 'IssueResource.java' (OSVDB 124972) - 'watchIssue' and 'voteIssue' methods of 'JiraInlineActionResource.java' (OSVDB 124973)

By tricking a user into following a specially crafted link, a context-dependent attacker can perform a CSRF/XSRF attack causing the victim to manipulate settings.

Solution

Update to JIRA 6.1.x version 6.1.5 or later.