After running an Alienvault USM scan against Jira, it found a medium vulnerability:
Port 443 'Vulnerability Detection Result: The cookies: Set-Cookie: atlassian.xsrf.token=xxxxxxxxxxxxxxxxxxxxx|lout; Path=/ are missing the "httpOnly" attribute. Insight: The flaw is due to a cookie is not using the 'httpOnly' attribute.'
Looking at the network packets I can see that there are two cookies:
JSESSIONID has two attributes - 'secure: true' & 'httpOnly: true'
atlassian.xsrf.token has only one attribute - 'secure: true'
Is there a way to set the 'httpOnly: true' attribute on the atlassian.xsrf.token cookie.
Thanks in advance.
i found :
context.xml file of the Tomcat installation running JIRA in a text editor.
Add the following
Manager element within the
Contextelement of this file:
... <Context useHttpOnly="true"> ... <Manager/> ... </Context> ...
To disable HttpOnly Session ID cookies, change the value of the
useHttpOnly parameter to
This community is celebrating its one-year anniversary and Atlassian co-founder Mike Cannon-Brookes has all the feels.Read more
Hi Community! My name is Amir and I’m on the Jira Service Desk product marketing team at Atlassian. Our team would love to understand how you’re leveraging our ecosystem for Jira Service Desk. Wha...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs