PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-6285 Atlassian CVE debrief

CVE-2016-6285 is a cross-site scripting (XSS) issue in Atlassian Jira that can let a remote attacker inject web script or HTML through the HTTP Host header. The CVE record and NVD metadata indicate affected Jira versions through 7.2.1, with Jira 7.2.2 referenced as the fix point. Because the attack is network-reachable and requires only user interaction, exposed Jira instances should be prioritized for update, especially if they are reachable from untrusted networks.

Vendor
Atlassian
Product
CVE-2016-6285
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-31
Original CVE updated
2026-05-13
Advisory published
2017-01-31
Advisory updated
2026-05-13

Who should care

Administrators, security teams, and platform owners running Atlassian Jira versions 7.2.1 or earlier, particularly internet-facing deployments and environments where users may browse Jira links from untrusted sources.

Technical summary

The vulnerability is classified as CWE-79 (cross-site scripting). NVD lists the vector as CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, which means it is reachable over the network, needs no privileges, and can affect the security scope of the application when a user is induced to load a crafted request. The affected component is identified in the CVE description as includes/decorators/global-translations.jsp, and the injection surface is the HTTP Host header. The vulnerable version range in the supplied NVD metadata ends at Jira 7.2.1, with 7.2.2 identified in Atlassian release notes as the relevant update.

Defensive priority

Medium, with higher urgency for any Jira instance exposed to the internet or used by many internal users. The combination of unauthenticated remote reachability and user interaction makes timely patching important.

Recommended defensive actions

  • Upgrade Atlassian Jira to 7.2.2 or later, or to a currently supported release.
  • Validate any reverse proxy, load balancer, or web server configuration that forwards the Host header to Jira and ensure unexpected hostnames are rejected or normalized.
  • Review Jira access logs for unusual Host header values or requests that appear designed to influence page rendering.
  • Restrict external access to Jira where possible until patching is complete, especially for administrative and high-value instances.
  • Confirm that custom integrations, templates, or proxy rules do not rely on unsafe handling of request host values after the upgrade.

Evidence notes

The CVE description states that Jira before 7.2.2 is vulnerable to XSS via the HTTP Host header in includes/decorators/global-translations.jsp. NVD metadata provides the affected CPE range through 7.2.1 and assigns CWE-79 with a CVSS 3.0 vector of AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Atlassian release notes for Jira 7.2.2 are included in the source corpus as the relevant remediation reference, and the Jira issue reference JRA-61888 is listed as a vendor advisory reference. Third-party disclosure/advisory links are present in the corpus, but this debrief does not rely on their exploit details.

Official resources

Publicly disclosed on 2017-01-31 in the CVE/NVD record. The supplied NVD record was modified on 2026-05-13. Atlassian release notes in the corpus point to Jira 7.2.2 as the remediation version.