Main Vulnerability Database Vulnerabilities #VU12770

#VU12770 Cross-site request forgery in Jira Software - CVE-2017-16862

Published: May 16, 2018 / Updated: May 17, 2018

Vulnerability identifier: #VU12770

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-16862

CWE-ID: CWE-352

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Jira Software

Software vendor:
Atlassian

Description

The vulnerability allows a remote attacker to perform CSRF attack.

The weakness exists due to insufficient CSRF protections. A remote attacker can create a specially crafted HTML page or URL, trick the victim into visiting it, gain access to the system and modify the "incoming mail" whitelist setting.

Remediation

Update to versions 7.7.0, 7.6.2 or 7.6.3.

External links

https://jira.atlassian.com/browse/JRASERVER-66622