CVE-2018-13401: CSRF
First published: Tue Oct 23 2018(Updated: )
The XsrfErrorAction resource in Atlassian Jira before version 7.6.9, from version 7.7.0 before version 7.7.5, from version 7.8.0 before version 7.8.5, from version 7.9.0 before version 7.9.3, from version 7.10.0 before version 7.10.3, from version 7.11.0 before version 7.11.3, from version 7.12.0 before version 7.12.3, and before version 7.13.1 allows remote attackers to obtain a user's Cross-site request forgery (CSRF) token through an open redirect vulnerability.
Credit: security@atlassian.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Atlassian Jira | <7.6.9 | |
| Atlassian Server | >=7.7.0<7.7.5 | |
| Atlassian Server | >=7.8.0<7.8.5 | |
| Atlassian Server | >=7.9.0<7.9.3 | |
| Atlassian Server | >=7.10.0<7.10.3 | |
| Atlassian Server | >=7.11.0<7.11.3 | |
| Atlassian Server | >=7.12.0<7.12.3 | |
| Atlassian Server | >=7.13.0<7.13.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2018-13401?
CVE-2018-13401 is rated as a medium severity vulnerability.
How do I fix CVE-2018-13401?
To fix CVE-2018-13401, update Atlassian Jira to a version higher than 7.6.9 or between versions 7.7.5 and 7.13.1.
What versions are affected by CVE-2018-13401?
CVE-2018-13401 affects Atlassian Jira versions before 7.6.9, between 7.7.0 and 7.7.5, between 7.8.0 and 7.8.5, and various higher versions up to 7.13.1.
Is CVE-2018-13401 applicable to Jira Server?
Yes, CVE-2018-13401 specifically affects Jira Server versions in the specified ranges.
What security impact does CVE-2018-13401 have on Jira?
CVE-2018-13401 can lead to potential cross-site request forgery attacks in affected Jira instances.
- agent/references
- agent/type
- agent/severity
- agent/author
- agent/weakness
- agent/description
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/atlassian
- canonical/atlassian jira
- canonical/atlassian server
- version/atlassian server/7.7.0
- version/atlassian server/7.8.0
- version/atlassian server/7.9.0
- version/atlassian server/7.10.0
- version/atlassian server/7.11.0
- version/atlassian server/7.12.0
- version/atlassian server/7.13.0