Which JIRA version closes CSRF,XSS attacks

Hi All,

Currently we are using JIRA 3.13. This version has many vulnerabilities like XSS,CSRF,XFS, Improper session management,No strong password policy, No account lockout feature etc.,

Could anyone please let me know which JIRA version eliminates all these vulnerabilities and the steps required for migration.


Kavitha Sama

3 answers

1 accepted

0 votes
Accepted answer

Basically, the security advice is usually "use the latest version". At the very least, you need to be on 5.1 or above to avoid a lot of the problems. Read https://confluence.atlassian.com/display/JIRA/Upgrading+JIRAand then I'd highly recommend reading every minor release note thereafter - 4.0, 4.1, 4.2 etc (don't worry too much about the point releases)

The password/lockout stuff can be fixed by using external user management :-) BUT, you'll need to do that in any version :-(

Thanks Nic Brough for clarifying the query and sharing valuable information. This link helps me how to proceed with upgrading JIRA.I need small calrification on the upgrading process.

While upgrading.. will all the customized workflows in current JIRA will be copied to the New JIRA with the restore process of backup XML of old JIRA or do we need to recreate the workflows in the new JIRA.

Kavitha Sama

The database contains everything - the only things that live outside the database are code changes, some small bits of configuration you can't do inside the application and your attachments. A slightly different way to think of it - if you can change it in the UI, it'll be upgraded.

Have a look at the security advisories which informs us which vulnerabilities were resolved in which versions.



Have installed the latest JIRA version 6.1.7  and observed that CSRF and XSS vulnerabilities are closed but still there are few vulnerabilities observed  like cross frame scripting(XFS) attack,  vulnerable to input validation,SQL Injection and was recommended to enforce strong input validation and output encoding throughout the application but the product allows all special characters including the black listed characters. Please suggest how to fix this?

Also how to restrict to upload only specific file type as this product allows all file types to upload .ie. any exe/ double extension files (.bat.jpeg, .html, .dll, etc.) with malicious content.Please suggest.


Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 27, 2018 in Portfolio for Jira

Introducing a new planning experience in Portfolio for Jira (Server/DC)

In the past, Portfolio for Jira required a high degree of detail–foresight that was unrealistic for many businesses to   have–in   order to produce a reliable long-term roadmap. We're tur...

2,941 views 19 22
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you