Which JIRA version closes CSRF,XSS attacks

Hi All,

Currently we are using JIRA 3.13. This version has many vulnerabilities like XSS,CSRF,XFS, Improper session management,No strong password policy, No account lockout feature etc.,

Could anyone please let me know which JIRA version eliminates all these vulnerabilities and the steps required for migration.


Kavitha Sama

3 answers

1 accepted

This widget could not be displayed.

Basically, the security advice is usually "use the latest version". At the very least, you need to be on 5.1 or above to avoid a lot of the problems. Read https://confluence.atlassian.com/display/JIRA/Upgrading+JIRAand then I'd highly recommend reading every minor release note thereafter - 4.0, 4.1, 4.2 etc (don't worry too much about the point releases)

The password/lockout stuff can be fixed by using external user management :-) BUT, you'll need to do that in any version :-(

Thanks Nic Brough for clarifying the query and sharing valuable information. This link helps me how to proceed with upgrading JIRA.I need small calrification on the upgrading process.

While upgrading.. will all the customized workflows in current JIRA will be copied to the New JIRA with the restore process of backup XML of old JIRA or do we need to recreate the workflows in the new JIRA.

Kavitha Sama

The database contains everything - the only things that live outside the database are code changes, some small bits of configuration you can't do inside the application and your attachments. A slightly different way to think of it - if you can change it in the UI, it'll be upgraded.

This widget could not be displayed.

Have a look at the security advisories which informs us which vulnerabilities were resolved in which versions.



This widget could not be displayed.

Have installed the latest JIRA version 6.1.7  and observed that CSRF and XSS vulnerabilities are closed but still there are few vulnerabilities observed  like cross frame scripting(XFS) attack,  vulnerable to input validation,SQL Injection and was recommended to enforce strong input validation and output encoding throughout the application but the product allows all special characters including the black listed characters. Please suggest how to fix this?

Also how to restrict to upload only specific file type as this product allows all file types to upload .ie. any exe/ double extension files (.bat.jpeg, .html, .dll, etc.) with malicious content.Please suggest.


Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Tuesday in Jira

What modern development practices are at the heart of how your team delivers software?

Hey Community mates! Claire here from the Software Product Marketing team. We all know software development changes rapidly, and it's often tough to keep up. But from our research, we've found the h...

225 views 1 3
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you