Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Next challenges

Recent achievements

  • Global
  • Personal


  • Give kudos
  • Received
  • Given


  • Global

Trophy case

Kudos (beta program)

Kudos logo

You've been invited into the Kudos (beta program) private group. Chat with others in the program, or give feedback to Atlassian.

View group

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

how does jira on premise server run plugins?

Hello dear community,

We're trying to create a security policy regarding the installation of plugins from the marketplace on jira on-premise server.

1. Can someone confirm my assumtion that plugins run within the jvm on the server?

2. What about updates, can any author issue an update to their plugin and it will auto update on my server? or is it an elective process?

3. Does anyone knows if any malicious plugin incidents?

4. Does anyone knows if plugins where ever used as an attack vector?

Thanks in advance, community!

2 answers

1 accepted

0 votes
Answer accepted
  1. It's more complex than that - Jira provides a framework for apps to work on, but in turn, Jira is running inside an application server (Tomcat) which in itself is then running inside the JVM.  Not all apps run inside Jira, some run separately to it (but you'll spot these when you read the installation instructions for them, as they won't be just "click to add/upgrade")
  2. It's your server, your app, your choice when to upgrade.  Authors cannot push
  3. Yes.  You can get a lot of protection from the simple rule of "only install from the marketplace" - a couple of malicious ones have snuck through in the past, but it's rare and been quickly spotted.  Installing from other sources - don't.  Only use stuff:
    1. that's from marketplace
    2. debug versions of marketplace apps direct from vendors
    3. apps you've written internally and hence are in control of all the security
  4. Yes, security holes have been found and exploited in marketplace apps.  Again, it's rare, and been quickly fixed.

Thank you for your detailed reply

0 votes

Very interesting question @Yaniv K 


As far as I know 

1 - Yes, they run inside the JVM on the server

2 - You have to chose to upgrade the plugin 

3 - the plugins go throw an evaluation from Atlassian. it could happen but i think that hadn't happen. 

4 - You have to understand that some base functionalities are provided by plugins, made from Atlassian. I can remember that it happened on Confluence, but I'm sure it can happen on Jira. 

Thank you for your reply!

Suggest an answer

Log in or Sign up to answer

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you